Business Associate Agreement

Pharity is a HIPAA Business Associate to every clinic and pharmacy on the platform. The mutual BAA between Pharity and your organization (the Covered Entity) governs how Protected Health Information (PHI) is created, received, maintained, or transmitted on your behalf.

• Pharity uses PHI only as permitted by HIPAA and the executed agreement, to operate the platform on your behalf, not for any other purpose
• Pharity implements administrative, physical, and technical safeguards per HIPAA Security Rule §164.308–.312
• All PHI is encrypted at rest (AES-256 via DigitalOcean Managed Postgres) and in transit (TLS 1.3)
• Append-only audit log via Postgres trigger, UPDATE and DELETE on audit_logs are rejected at the database level
• 7-year audit-log retention per HIPAA requirements
• Pharity notifies you of any breach of unsecured PHI per HIPAA §164.410 within 60 days (typically much sooner)
• Pharity will not subcontract PHI handling to any vendor without a written BAA in place (subprocessor list maintained at /legal/privacy)
• On termination, Pharity returns or destroys PHI per the executed BAA's terms

• DigitalOcean, hosting + Managed Postgres (Standard Support tier with BAA)
• AWS, SES for email delivery (BAA via AWS Artifact)
• Twilio, SMS delivery (BAA in place)
• BoldSign, e-signature workflow (BAA in place)
• Sentry, error monitoring (HIPAA tier with BAA)
• Daily.co or Zoom for Healthcare, telehealth video (BAA when telehealth ships)

• Sell, monetize, or aggregate PHI for any purpose
• Share PHI with any party that hasn't signed a BAA
• Use PHI for product analytics or marketing
• Store PHI in payment-processor metadata (Stripe; payment-processing exemption applies)

Once activated, your executed BAA lives in your admin panel under Settings → Compliance (coming with C4). Before that ships, request a copy from [email protected].