HIPAA Business Associate Agreement

Last updated:

DDSEMail will sign a HIPAA Business Associate Agreement (BAA) with covered-entity customers using service tiers that handle protected health information. This page summarizes what the BAA covers, which features are in scope, and how to request the executed agreement — it is not itself the binding contract.

About this page

This is an overview of the HIPAA Business Associate Agreement DDSEMail enters into with covered entities (and their business associates, where applicable). The binding agreement is the executed BAA document we provide on request — not this page. Request the executable BAA at {{TODO: BAA contact email}}.

What HIPAA requires

The HIPAA Privacy and Security Rules require a covered entity to enter into a written contract with each business associate that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. A BAA obligates the business associate to safeguard PHI, restrict uses and disclosures, report incidents, support the covered entity's compliance, and return or destroy PHI at termination.

What our BAA covers

  • DDSEMail's permitted uses and disclosures of PHI strictly to operate the Service for you.
  • Safeguards: administrative, physical, and technical (encryption in transit and at rest, access controls, audit logging — see Security).
  • Sub-processors: only the providers listed on the Sub-processors page, each bound by equivalent privacy and security terms.
  • Incident reporting: prompt notification of security incidents and breaches consistent with HIPAA Breach Notification.
  • Individual rights support: assistance with access, amendment, and accounting of disclosures requests routed through you.
  • Return or destruction of PHI on termination, where feasible.

Which features are in scope

  • In scope: custom-domain email and fully managed email hosting tiers, including their administrative consoles, audit logs, and backups.
  • Out of scope — relay aliases: the protected alias forwarding feature is positioned as a non-PHI surface. The in-product UI and our documentation explicitly warn that PHI must not be routed through aliases. Treat the alias relay as non-BAA.
  • Out of scope — AI triage on relay: any AI triage applied to relayed mail follows the same non-PHI scoping.

How to request the BAA

  1. Email {{TODO: BAA contact email}} with your legal entity name, NPI (if applicable), and intended service tier.
  2. We send the BAA for review.
  3. Both parties counter-sign; the agreement is filed and stored against your account.

Until the BAA is executed, the Service must not be used to transmit PHI.

Disclaimer

This page is provided for informational purposes. It is not legal advice and does not itself create a Business Associate relationship; the executed BAA does.