Business Associate Agreements (BAA)
The Business Associate Agreement (BAA) module enables organizations to manage legal contracts between themselves and external vendors, ensuring HIPAA compliance.
This feature facilitates secure document upload, assignment, and signing workflows with invited vendors.
What is a BAA?
A Business Associate Agreement is a legally required contract that ensures vendors handling sensitive health information comply with HIPAA regulations.
BAA Workflow Overview
-
Upload
- Org Admin uploads a BAA document (PDF or DOCX).
- Document can be tagged or organized into folders.
-
Invite Vendor
- The vendor is invited via email from the BAA page.
- The invite includes a magic link — no password is required.
-
Assign Document
- The uploaded BAA is assigned to one or more vendors.
- Admin can add multiple vendors per document if needed.
-
Vendor Action
- Vendor opens the link and accesses their simplified dashboard.
- They review, sign, and download the agreement.
- Once signed, the status is reflected in the system.
-
Audit and Logs
- The platform records who uploaded, sent, signed, and when.
Who Can Use the BAA Module?
| Role | Access Level |
|---|---|
| Org Admin | Full access |
| Compliance Analyst | Full access (if scoped) |
| Org Auditor | Read-only |
| Employee | No access |
| Vendor | Sign assigned documents only (via magic link) |
BAA Page Capabilities
For Org Admins & Compliance Analysts:
- Upload and manage documents
- Invite and manage vendors
- View status of sent BAAs
- Track vendor completion
- Revoke invitations
For Vendors:
- No account or password
- Can access only assigned documents
- Can sign and download once
- Cannot view internal team or folders
Vendor Dashboard (Magic Link Access)
- Vendors cannot self-register.
- Vendors are invited only by organization admins.
- A vendor may be affiliated with multiple organizations, each with different agreements.
- On login via magic link, the vendor:
- Chooses an organization
- Views all BAAs assigned to them
- Signs them digitally
- Downloads signed copies for records
Vendors have no visibility into the organization’s users or settings.
Signature Quality and Audit Trail
Every BAA signature is now backed by the unified signature model:
| Field | What it records |
|---|---|
| Content hash | SHA-256 of the exact file bytes at signing time |
| Signature hash | Tamper-evident hash of subjectType:subjectId:versionId:signerType:signerId:contentHash:issuedAt |
| IP address | The vendor's IP at the moment of signing |
| User-agent | The browser/client string at signing |
issuedAt | ISO timestamp frozen at write time — never updated |
Re-sign prevention is enforced at the database level. Once a vendor has signed a BAA, the system will reject any attempt to sign the same agreement again (returns an error). Admins cannot manually override this without direct database access.
Document versioning — each signature is bound to a DocumentVersion row that records which exact file was in use. If the agreement file is replaced, existing signatures remain valid against the old version.
Audit events written per signing action:
SIGN_DOCUMENT— logged to the organization's audit log with vendorId, resource, timestamp, IP, and user-agent.
Troubleshooting Tips
- Vendor not receiving link: Check email validity and spam folder.
- Magic link expired: Re-send the invitation from the BAA module.
- Document not loading: Ensure the uploaded format is supported (PDF/DOCX only).