Business Associate Agreement

Last updated: March 3, 2026

BAA Available Upon Request

A Business Associate Agreement (BAA) is available upon request for qualified covered entities. To request a BAA, please contact us at Ifat@hlistix.com or use our contact form.

What Is a BAA?

Under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate Agreement is a contract between a covered entity (such as a healthcare provider) and a business associate (a service provider that may access Protected Health Information on behalf of the covered entity).

A BAA establishes the permitted uses and disclosures of PHI, the safeguards the business associate must implement, and the responsibilities of each party in the event of a data breach.

What the Hlistix BAA Covers

The Hlistix BAA addresses the following areas:

Definitions and Scope

Defines the relationship between the practitioner (covered entity) and Hlistix (business associate), the services covered, and the types of information that may be processed.

Permitted Uses and Disclosures

Specifies how Hlistix may use or disclose PHI — limited to providing and maintaining the Service, and as required by law.

Safeguards and Security Obligations

Describes the administrative, physical, and technical safeguards Hlistix implements to protect PHI, including:

  • TLS encryption for data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls
  • Audit logging and monitoring
  • Secure cloud infrastructure
Breach Notification Procedures

Establishes the process and timeline for notifying the covered entity in the event of a security incident or unauthorized access to PHI, consistent with HIPAA requirements.

Term and Termination

Defines the duration of the agreement, conditions for termination, and obligations regarding return or destruction of PHI upon termination.

Infrastructure

Hlistix infrastructure runs on Google Cloud Platform, which offers HIPAA-eligible services. All data is stored in encrypted, access-controlled environments with comprehensive audit logging.

Practitioner Responsibility

Hlistix is classified as Non-Device Clinical Decision Support (CDS) under the 21st Century Cures Act (Section 3060(a)). The platform supports but does not replace independent clinical judgment, and does not automate or direct patient care decisions.

Practitioners are solely responsible for determining whether information they upload constitutes PHI, for obtaining appropriate patient consent, and for compliance with applicable privacy laws and regulations.

How to Request a BAA

If you are a qualified covered entity and would like to request a BAA, please contact:

Operator: Ifat Shterenberg — Sole Proprietor (Israel)
Email: Ifat@hlistix.com

Please include:

  • Your name and professional title
  • Organization name (if applicable)
  • License state and type
  • Brief description of intended use

Related Policies

Back to Home