HIPAA Compliance

Business Associate Agreement

SignQuick's commitment to protecting Protected Health Information (PHI) in compliance with HIPAA regulations.

Last updated: March 2026

Key Commitments

PHI encrypted with AES-256 end-to-end

Complete audit trail for all document access

Breach notification within 24 hours

Data deletion upon agreement termination

1. Definitions

This Business Associate Agreement ("BAA") is entered into between the healthcare entity ("Covered Entity") and SignQuick ("Business Associate") pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

Protected Health Information (PHI) refers to individually identifiable health information transmitted or maintained in any form, including electronic PHI (ePHI), that is created, received, maintained, or transmitted by SignQuick on behalf of the Covered Entity.

Business Associate means SignQuick, which creates, receives, maintains, or transmits PHI on behalf of the Covered Entity for the purpose of electronic document signing and storage.

2. Obligations of Business Associate

SignQuick agrees to:

Not use or disclose PHI other than as permitted by this Agreement or as required by law
Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI
Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach
Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
Make PHI available to Covered Entity as necessary to satisfy obligations under HIPAA Privacy Rule
Make internal practices, records, and books relating to the use and disclosure of PHI available to the Secretary of HHS

3. Technical Safeguards

SignQuick implements the following safeguards to protect ePHI:

AES-256 end-to-end encryption for all documents containing PHI

Role-based access controls limiting PHI access to authorized users only

Complete audit trail logging all access, modifications, and signing events

EU-hosted infrastructure with encrypted data at rest and in transit

Automatic document retention and deletion policies

Secure signer authentication via unique token-based links

4. Individual Access Rights

SignQuick shall make PHI maintained in a Designated Record Set available to Covered Entity for inspection and copying within 15 business days of a request, to enable Covered Entity to fulfill its obligations under 45 CFR 164.524.

SignQuick shall incorporate any amendments to PHI as directed by the Covered Entity pursuant to 45 CFR 164.526.

5. Breach Notification

SignQuick shall report to the Covered Entity any Breach of Unsecured PHI within 24 hours of discovery, including:

The nature of the breach, including types of PHI involved
The individuals whose PHI was or may have been compromised
Steps taken to investigate and mitigate the breach
Contact information for further inquiries

6. Termination

Upon termination of this Agreement, SignQuick shall return or destroy all PHI received from the Covered Entity, or created or received on behalf of the Covered Entity, within 30 days. If return or destruction is not feasible, SignQuick shall extend the protections of this Agreement to such PHI and limit further uses and disclosures.

The Covered Entity may terminate this Agreement if it determines that SignQuick has violated a material term. SignQuick shall be given 30 days to cure the violation before termination takes effect.

7. Subprocessors

Provider	Purpose	Location
Vercel	Application hosting & CDN	EU (Frankfurt)
Neon	PostgreSQL database	EU (Frankfurt)
Vercel Blob	Encrypted document storage	EU

Request a Signed BAA

Available for Pro plan customers. Contact us to receive a countersigned Business Associate Agreement for your organization.

Business Associate Agreement

Key Commitments

1. Definitions

2. Obligations of Business Associate

3. Technical Safeguards

4. Individual Access Rights

5. Breach Notification

6. Termination

7. Subprocessors

Request a Signed BAA

Related Documents

Data Processing Agreement

Security Overview

Compliance Center

Business Associate Agreement

Key Commitments

1. Definitions

2. Obligations of Business Associate

3. Technical Safeguards

4. Individual Access Rights

5. Breach Notification

6. Termination

7. Subprocessors

Request a Signed BAA

Related Documents

Data Processing Agreement

Security Overview

Compliance Center