On this page
What a Business Associate Agreement is#
Under HIPAA, a covered entity (such as a clinician or practice) must enter into a written agreement with any third-party service that handles PHI on its behalf. That written agreement is the Business Associate Agreement. It is the legal mechanism by which our HIPAA-compliant operating practices become enforceable to you as a customer.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that, before a covered entity discloses PHI to a business associate, the two parties must execute a written agreement establishing the permitted uses of that PHI and the safeguards the business associate will apply. PsyFi Scribe is a business associate to the clinicians and practices that use it; the BAA is how that relationship is formalized.
Who needs a BAA with PsyFi Scribe#
Any clinician or practice that will use PsyFi Scribe to handle protected health information needs a signed BAA before using the product with real client sessions.
A BAA is required if you are a HIPAA-covered entity (a licensed healthcare provider, a health plan, or a healthcare clearinghouse) and you will use PsyFi Scribe to record, transcribe, or generate clinical notes about identifiable patients. This includes:
- Solo licensed mental-health clinicians (psychologists, LCSWs, LPCs, LMFTs, psychiatrists, and similar) in private practice.
- Group practices and clinics with multiple licensed clinicians.
- Practice administrators acting on behalf of clinicians.
- Telehealth providers using PsyFi Scribe inside their session workflow.
If you are evaluating PsyFi Scribe with non-PHI test scenarios only (for example, mock sessions during a procurement review), you do not need a signed BAA for that evaluation. As soon as you begin to use the product with a real client session, a BAA must be in place.
What our BAA covers#
The PsyFi Scribe BAA tracks the structure required by 45 CFR § 164.504(e): permitted uses, safeguards, reporting obligations, subcontractor flow-down, access and amendment rights, and obligations on termination. Below is a plain-English summary; the binding text is the BAA you sign.
- Permitted uses
- We use PHI only to provide and improve the PsyFi Scribe service to you, and only as the BAA and HIPAA permit. We do not sell PHI; we do not use it for marketing; we do not use it to train AI models.
- Safeguards
- We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule. See our Security page for the operating detail behind these.
- Reporting
- We will notify you, in writing and without unreasonable delay, of any use or disclosure of your PHI not permitted by the BAA, of any security incident that compromises PHI, and of any breach of unsecured PHI for which the HIPAA Breach Notification Rule applies.
- Access & amendment
- We assist you in responding to a patient's access, amendment, and accounting-of-disclosures requests for the PHI we hold on your behalf.
- Workforce training
- Every PsyFi Scribe employee with access to PHI receives HIPAA-specific training at hire and at least annually thereafter.
- Termination
- On termination of the BAA we will return or destroy PHI we hold on your behalf to the extent feasible, and extend the protections of the BAA to any PHI we cannot return or destroy.
Subcontractors#
We use third-party services to deliver PsyFi Scribe. Every subcontractor that may touch PHI is itself bound by a BAA with us, on terms at least as protective as the ones in our BAA with you.
The categories of subcontractors involved in handling PHI are listed on our Security page. The binding, named list for your account is attached to your BAA as Schedule A. We notify customers in advance of material changes to that list so you can review before the change takes effect.
Term & termination#
The BAA is effective when both parties sign and remains in effect as long as PsyFi Scribe holds your PHI. Either party may terminate as described in the agreement, and on termination we return or destroy PHI as feasible.
The BAA terminates automatically at the end of your service term with PsyFi Scribe or earlier as described in the agreement. Some obligations — particularly those around safeguarding PHI we cannot return or destroy — survive termination.
How to request a signed BAA#
Email us and we will send our standard BAA for review and signature. Most BAAs are signed within a few business days; counter-redlines are welcome and we route them to counsel quickly.
Send a request to hello@psyfiscribe.com with:
- The legal name of the covered entity (practice, clinic, or individual clinician).
- The state in which the practice operates.
- The name and title of the person authorized to sign on the practice's behalf.
- Any specific procurement, redline, or routing requirements you'd like us to know about up front.
We send our standard BAA via electronic signature. If your practice has a required template or addendum, share it with the initial request and we will work from your form when feasible.
Contact#
hello@psyfiscribe.com
BAA requests, redlines, and procurement questions. For broader HIPAA questions, see our HIPAA page; for security operating detail, our Security page.