Last updated: April 28, 2026
This Business Associate Agreement (“Agreement” or “BAA”) is entered into by and between the entity identified in the applicable TeleVerify Subscription Agreement or Order Form that is a Covered Entity or Business Associate under HIPAA (“Covered Entity”) and TeleVerify, Inc. (“Business Associate” or “TeleVerify”).
WHEREAS, Covered Entity uses TeleVerify’s telehealth compliance verification platform (the “Service”) pursuant to a separate Subscription Agreement or Terms of Service (the “Underlying Agreement”);
WHEREAS, in connection with the Service, Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity;
WHEREAS, the Parties wish to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and the regulations at 45 C.F.R. Parts 160 and 164 (the “HIPAA Rules”); and
WHEREAS, the HIPAA Rules require Covered Entity to enter into this Agreement with Business Associate to provide satisfactory assurances that Business Associate will appropriately safeguard PHI;
NOW, THEREFORE, the Parties agree as follows:
Capitalized terms not otherwise defined herein shall have the meanings assigned to them under the HIPAA Rules. Key defined terms include: “Breach” (45 C.F.R. § 164.402), “Designated Record Set” (45 C.F.R. § 164.501), “Electronic Protected Health Information” or “ePHI” (45 C.F.R. § 160.103), “Individual” (45 C.F.R. § 160.103), “Protected Health Information” or “PHI” (45 C.F.R. § 160.103, as limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity), “Required by Law” (45 C.F.R. § 164.103), “Secretary” (the Secretary of HHS), “Security Incident” (45 C.F.R. § 164.304), and “Unsecured PHI” (45 C.F.R. § 164.402).
2.1 Limited Data Set. The Service processes a limited set of information for the sole purpose of telehealth compliance verification:
(a) Provider Information: National Provider Identifier (NPI), provider name, professional credentials and license types, state licensure data, email address, and encrypted authentication credentials.
(b) Patient Location Data: Approximate geographic location of the patient at the state level only (e.g., “California” or “CA”), derived from IP address geolocation or voluntary patient self-report. Business Associate does not collect, store, or process city-level, street-level, or GPS-precision location data for patients.
(c) Session Metadata: Telehealth session identifiers, timestamps, compliance check results (compliant/non-compliant/review-needed status), verification method used, and audit log entries. Business Associate does not access, record, store, or transmit any audio, video, chat content, clinical notes, diagnoses, treatment plans, prescriptions, or other clinical or medical information from telehealth sessions.
(d) Zoom Integration Data: When providers connect their Zoom accounts, Business Associate stores encrypted OAuth tokens (AES-256-GCM at rest), Zoom user identifiers, and meeting identifiers. Business Associate accesses Zoom meeting context (meeting ID, participant role, host status) solely to determine which provider is conducting a session and to trigger compliance verification. Business Associate does not access meeting content, recordings, transcripts, chat messages, or participant lists beyond the host identifier.
2.2 Data Minimization Commitment. Business Associate shall not request, collect, access, use, or store any PHI beyond what is strictly necessary to provide the Service. Business Associate shall not access, store, or process any of the following: patient names, dates of birth, Social Security numbers, medical record numbers, health plan beneficiary numbers, diagnoses or diagnostic codes, treatment information, prescription data, lab results, clinical notes, insurance or billing information, photographs or biometric identifiers, or any other of the eighteen (18) categories of identifiers specified in 45 C.F.R. § 164.514(b)(2), except for geographic information limited to the state level as described in Section 2.1(b).
2.3 De-Identification. The Parties acknowledge that much of the data processed by Business Associate may qualify as de-identified information under the Safe Harbor method (45 C.F.R. § 164.514(b)). Notwithstanding the foregoing, Business Associate shall treat all data received from or on behalf of Covered Entity as PHI for purposes of this Agreement.
3.1 Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate is authorized to use and disclose PHI solely to: (a) perform the telehealth compliance verification services described in the Underlying Agreement; (b) for proper management and administration of Business Associate, provided such disclosures are Required by Law or the recipient agrees in writing to maintain confidentiality; (c) aggregate PHI with data from other Covered Entities for de-identified compliance trend analysis; and (d) report violations of law to appropriate authorities per 45 C.F.R. § 164.502(j)(1).
3.2 Prohibition on Sale of PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except as permitted under 45 C.F.R. § 164.502(a)(5)(ii).
3.3 Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards in accordance with 45 C.F.R. Part 164, Subpart C, including:
(a) Encryption in Transit: TLS 1.2 or higher with HSTS enforcement.
(b) Encryption at Rest: AES-256-GCM for Zoom OAuth tokens with dedicated encryption keys managed through environment-level secrets. SSL-encrypted database connections.
(c) Authentication: bcrypt-hashed passwords; cryptographically signed JWT session tokens with configurable expiration.
(d) Infrastructure: Hosted on Railway, a SOC 2 Type II compliant platform-as-a-service provider. PostgreSQL with SSL-encrypted connections.
(e) Access Controls: Role-based access controls separating provider, organization administrator, and system administrator access. Rate limiting on all API endpoints.
(f) Audit Logging: Tamper-evident audit logs with cryptographic hash-chain integrity verification, retained for a minimum of seven (7) years.
3.4 Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI agree in writing to the same restrictions and requirements. Current subprocessors:
(a) Railway: Application hosting and database infrastructure.
(b) Zoom Video Communications: Video platform integration for meeting context. Zoom does not receive PHI from Business Associate.
(c) Stripe, Inc.: Payment processing for subscription billing. Stripe does not receive PHI.
(d) Resend: Transactional email delivery. Email content does not contain PHI.
Business Associate shall notify Covered Entity of material changes to the subprocessor list at least thirty (30) days prior.
3.5 Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI and any Security Incident, as detailed in Article 4.
3.6 Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity within fifteen (15) business days of a written request, for purposes of responding to Individual access requests under 45 C.F.R. § 164.524.
3.7 Amendment of PHI. Business Associate shall make PHI available for amendment within fifteen (15) business days of a written request and shall incorporate amendments as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.
3.8 Accounting of Disclosures. Business Associate shall maintain and make available information required for accounting of disclosures under 45 C.F.R. § 164.528, within thirty (30) days of a written request. Such information shall be maintained for six (6) years from the date of the disclosure.
3.9 Governmental Access. Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary for compliance determination purposes.
3.10 Minimum Necessary Standard. Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and Article 2.
4.1 Discovery and Notification. Business Associate shall notify Covered Entity without unreasonable delay, and in no event later than thirty (30) calendar days after discovery of a Breach of Unsecured PHI.
4.2 Content of Notification. Notification shall include, to the extent reasonably available: (a) identification of affected Individuals; (b) description of the nature of the Breach and types of Unsecured PHI involved; (c) description of investigation and mitigation steps; (d) dates of the Breach and discovery; and (e) contact information for Business Associate representatives.
4.3 Cooperation. Business Associate shall cooperate with Covered Entity in investigating the Breach and complying with applicable notification obligations.
4.4 Security Incidents. Business Associate shall report Security Incidents to Covered Entity. The Parties acknowledge that unsuccessful Security Incidents (pings, port scans, unsuccessful login attempts, denial-of-service attacks) occur regularly. Business Associate shall provide a summary of such unsuccessful incidents upon written request but is not required to provide individual notice of each.
Covered Entity shall: (5.1) notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate’s use of PHI; (5.2) notify Business Associate of any changes in or revocation of Individual permissions; (5.3) notify Business Associate of any restrictions agreed to under 45 C.F.R. § 164.522; (5.4) not request Business Associate to use or disclose PHI in a manner not permissible under Subpart E of 45 C.F.R. Part 164; and (5.5) represent that it has obtained necessary consents and authorizations for disclosure of PHI to Business Associate.
6.1 Term. This Agreement shall be effective for the duration of the Underlying Agreement, unless earlier terminated.
6.2 Termination for Cause. Either Party may terminate if the other has violated a material term and has not cured within thirty (30) calendar days after written notice. If cure is not reasonably possible, the non-breaching Party may immediately terminate.
6.3 Obligations Upon Termination. Business Associate shall: (a) cease all uses and disclosures of PHI; (b) return or destroy all PHI within sixty (60) calendar days and certify in writing; provided, however, that if return or destruction is not feasible (including because of mandatory compliance record retention), Business Associate shall extend the protections of this Agreement to such information. Compliance verification records are retained for a minimum of seven (7) years per CMS requirements and remain subject to this Agreement for the duration of retention.
7.1 References to the HIPAA Rules mean the sections as in effect or amended.
7.2 The Parties shall amend this Agreement as required for HIPAA compliance. No amendment is effective unless in writing signed by both Parties; provided that Business Associate may update the subprocessor list and security measures upon thirty (30) days’ prior written notice.
7.3 Obligations under Articles 3 and 4 survive termination to the extent Business Associate retains any PHI.
7.4 Ambiguities shall be interpreted to permit HIPAA compliance. In case of conflict with the Underlying Agreement regarding PHI, this Agreement controls.
7.5 Each Party shall indemnify and hold harmless the other from claims arising from its breach of this Agreement.
7.6 No third-party beneficiaries.
7.7 Governed by federal law, including the HIPAA Rules; to the extent not preempted, the laws of the State of Delaware.
7.8 This Agreement and the Underlying Agreement constitute the entire agreement regarding PHI.
7.9 Notices shall be in writing via email with confirmation of receipt.
7.10 May be executed in counterparts; electronic signatures are valid.
Services: TeleVerify provides real-time telehealth compliance verification ensuring healthcare providers are legally authorized to treat patients across state lines. The Service integrates with Zoom, Doxy.me, SimplePractice, TherapyNotes, and Jane App.
PHI Processed: Provider NPI numbers, credentials and licensed states, patient state-level location, session timestamps and compliance results, Zoom meeting identifiers, and audit log entries.
PHI NOT Processed: Patient names, dates of birth, SSNs, medical record numbers, diagnoses, treatment plans, prescriptions, clinical notes, lab results, insurance/billing information, audio/video/chat content, biometric data, photographs, or sub-state geographic data for patients.
Security: TLS 1.2+ in transit; AES-256-GCM for tokens at rest; bcrypt-hashed passwords; PostgreSQL with SSL on Railway (SOC 2 Type II); role-based access controls; rate limiting; tamper-evident hash-chain audit logging.
Retention: Raw session connection data expires after 4 hours. Compliance records retained 7 years minimum. Zoom tokens deleted upon disconnection.
To execute this BAA, contact support@televerify.org or request a copy through your TeleVerify account settings.