Skip to content
HeepstersPractice
Start free trial

Effective May 5, 2026 · Version 1.0

Business Associate Agreement

This Business Associate Agreement ("BAA") is incorporated by reference into the Terms of Service between Heepsters Creative LLC("Business Associate" or "Heepsters") and the customer Covered Entity ("Covered Entity") using the Heepsters Practice service (the "Service").

Plain-English summary

  • We will only use PHI to operate the Service for you, never for marketing or model training.
  • We'll keep PHI encrypted, access-controlled, and inside the United States.
  • We'll notify you within 24 hours of confirming any security incident touching PHI.
  • You can request a return or destruction of your PHI on termination.

1. Definitions

Capitalized terms have the meanings given in the HIPAA Rules (45 CFR Parts 160 and 164) or in the underlying Terms of Service.

2. Permitted uses and disclosures

Business Associate may use and disclose PHI only as necessary to perform the Service for Covered Entity, for proper management and administration of Business Associate's organization, or as Required by Law. Business Associate will not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards consistent with 45 CFR 164.308, 164.310, and 164.312 to prevent use or disclosure of PHI other than as provided for by this BAA.

4. Reporting

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA, including any Breach of Unsecured PHI, within 24 hours of confirmation, with a Breach impact assessment as soon as reasonably practicable and in any case within the HIPAA-required timeframe.

5. Subcontractors

Business Associate will require any subcontractor that creates, receives, maintains, or transmits PHI on its behalf to agree in writing to the same restrictions and conditions that apply to Business Associate under this BAA.

6. Subprocessor list

  • Amazon Web Services, Inc. — cloud infrastructure (US-only regions)
  • Supabase, Inc. — managed Postgres + auth (US-only regions)
  • Stripe, Inc. — payment processing (no PHI)
  • Resend / Postmark — transactional email (no PHI in body)
  • Twilio, Inc. — SMS appointment reminders (no PHI in body)
  • Anthropic, PBC — AI assistance, BAA in place, U.S. processing

We give 30 days' notice before adding any subprocessor that handles PHI. Email security@heepsterspractice.com to subscribe to changes.

7. Access, amendment, accounting

Business Associate will make PHI available to Covered Entity to fulfill individual rights of access (164.524), amendment (164.526), and accounting of disclosures (164.528) within timelines reasonable to enable Covered Entity's compliance.

8. Termination

On termination, Business Associate will return or destroy all PHI in its possession at Covered Entity's direction. Where return or destruction is infeasible, Business Associate will extend the protections of this BAA to the retained PHI for as long as it is retained.

9. Governing law

This BAA is governed by the law of the State of Utah, except where preempted by federal law including HIPAA.

Need a counter-signed copy or a redlined version? Email legal@heepsterspractice.com.