Effective Date: March 1, 2026 · Last Updated: March 25, 2026
Purpose and Scope
This Business Associate Agreement ("BAA") is entered into by and between Vasl Health, Inc. ("Business Associate") and the entity or individual engaging Vasl Health's platform services ("Covered Entity"), pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").
This BAA establishes the permitted and required uses and disclosures of Protected Health Information ("PHI") by the Business Associate when performing services on behalf of the Covered Entity through the Vasl Health platform located at app.gotovasl.com.
Definitions
Capitalized terms used in this BAA that are not otherwise defined have the meanings assigned to them in the HIPAA Rules. The following definitions apply specifically to this agreement:
Individually identifiable health information created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity. On the Vasl platform, this includes assessment scores, mood entries, message content, AI analysis outputs, session notes, risk flags, and cultural identity data when combined with health information.
PHI that is created, received, maintained, or transmitted in electronic form through the Vasl Health platform, including data stored in the platform database, transmitted via the messaging system, or processed by the Vasl Language Analysis Platform™ (VLAP).
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations in the platform's information systems.
The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
Obligations of the Business Associate
Vasl Health, as the Business Associate, agrees to the following obligations with respect to PHI received from or created on behalf of the Covered Entity:
- Use or disclose PHI only as permitted or required by this BAA, the HIPAA Rules, or as required by law. PHI will not be used for marketing, sold, or disclosed to unauthorized third parties under any circumstances.
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with the HIPAA Security Rule at 45 CFR Part 164, Subpart C.
- Encrypt all PHI at rest using AES-256 column-level encryption and in transit using TLS 1.3 or higher. Encryption keys are managed through AWS Key Management Service (KMS) and are never stored in application code or environment variables.
- Maintain an immutable audit log of all access to PHI, including the identity of the accessor, action performed, resource accessed, and timestamp. Audit logs are stored in a dedicated database separate from the application database and retained for a minimum of six (6) years.
- Report to the Covered Entity any use or disclosure of PHI not authorized by this BAA, any Security Incident, or any Breach of unsecured PHI. Notification of a Breach will be made without unreasonable delay and no later than sixty (60) days following discovery.
- Ensure that any agents or subcontractors to whom the Business Associate provides PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such PHI, including the execution of a BAA with each subcontractor.
- Make available to the Covered Entity, or to the Secretary of the U.S. Department of Health and Human Services, internal practices, books, and records relating to the use and disclosure of PHI for purposes of determining compliance with the HIPAA Rules.
- Make available PHI in a Designated Record Set to the Covered Entity or to an individual as required by 45 CFR § 164.524, within thirty (30) days of a valid request.
- Enforce role-based access controls at the API layer, ensuring members cannot access coach or admin data, coaches cannot access members not assigned to them, and organization administrators can only view aggregate data — never individual PHI.
- Enforce two-factor authentication for all platform users on every login, with no bypass path, using TOTP (authenticator app) as the primary method and SMS OTP as a fallback.
Permitted Uses and Disclosures
The Business Associate may use or disclose PHI only for the following purposes:
- Treatment support: Facilitating coaching sessions, teletherapy sessions, and clinical communication between members and their assigned coaches or therapists through the platform messaging system.
- AI-assisted clinical analysis: Processing member messages, mood entries, and assessment data through the Vasl Language Analysis Platform™ (VLAP) to generate clinician-facing insight tags, risk scores, and escalation flags. VLAP outputs are never displayed to members.
- Clinical safety monitoring: Detecting risk signals across message content, mood trends, assessment scores, and engagement patterns to trigger clinical escalation protocols and ensure timely intervention by licensed professionals.
- Platform operations: System administration, security monitoring, audit logging, and technical infrastructure management necessary to maintain the platform in a HIPAA-compliant state.
- De-identified aggregate reporting: Generating aggregate, de-identified analytics for Client Organizations in accordance with the HIPAA de-identification standard at 45 CFR § 164.514. No individual PHI is disclosed to organizational administrators.
Platform Security Architecture
The Vasl Health platform implements the following technical safeguards to protect ePHI:
- Infrastructure: All platform services are hosted on HIPAA-eligible AWS infrastructure (RDS, ECS, ElastiCache, S3, KMS) with a signed AWS BAA. Frontend deployment on Vercel with a signed Vercel BAA.
- Encryption at rest: AES-256 column-level encryption on all PHI database columns using PostgreSQL pgcrypto. S3 objects encrypted with SSE-KMS.
- Encryption in transit: TLS 1.3 minimum on all connections including HTTPS, WebSocket (wss://), Socket.io, and inter-service communication. HSTS enforced.
- Session management: Member sessions expire after 30 minutes of inactivity. Coach and admin sessions expire after 60 minutes. Refresh token rotation on every request.
- Prohibited practices: PHI is never logged to application logs, stored in browser localStorage or sessionStorage, included in URL parameters, sent in push notification payloads, SMS bodies, or email bodies, or processed by any third-party analytics tool.
Subcontractor BAAs
Vasl Health maintains signed Business Associate Agreements with all subcontractors who create, receive, maintain, or transmit PHI on behalf of the platform:
| Vendor | Service | PHI Handling | BAA Status |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure (RDS, ECS, S3, KMS, ElastiCache) | Stores and processes all ePHI | Required |
| Vercel | Frontend deployment and edge caching | Routes requests; no PHI stored at edge | Required |
| Anthropic | AI model API for VLAP analysis | Processes message content for clinical analysis | Required |
| Daily.co / Twilio | Video sessions for teletherapy | Transmits video/audio; optional session recording | Required |
| SMS Provider | Coach risk alert notifications | No PHI in SMS body — alert text only | Required |
| Firebase (FCM) | Push notifications | No PHI in payload — notification IDs only | Mitigated by design |
Breach Notification
In the event of a Breach of unsecured PHI, the Business Associate shall notify the Covered Entity without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the Breach. The notification shall include:
- Identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.
- A description of the nature of the Breach, including the types of unsecured PHI involved.
- The date of the Breach and the date of discovery.
- A description of the steps the Business Associate is taking to investigate the Breach, mitigate harm to affected individuals, and protect against further Breaches.
Vasl Health maintains a documented breach response procedure in compliance with 45 CFR §§ 164.400–414. All suspected Security Incidents are investigated immediately, and the platform's immutable audit log provides forensic traceability for any access event.
Term and Termination
This BAA shall remain in effect for the duration of the service agreement between the parties. Upon termination of the service agreement, the Business Associate shall, if feasible, return or destroy all PHI received from or created on behalf of the Covered Entity. If return or destruction is not feasible, the Business Associate shall extend the protections of this BAA to such PHI and limit further use and disclosure to those purposes that make the return or destruction infeasible, for so long as the Business Associate retains the PHI.
Any PHI retained after termination shall continue to be protected in accordance with this BAA and the HIPAA Rules. The obligations of the Business Associate under this Section shall survive termination of this BAA.
Amendment
This BAA shall be amended as necessary to comply with changes in the HIPAA Rules or other applicable law. Either party may request an amendment to this BAA to ensure compliance with applicable regulations. No amendment to this BAA shall be effective unless agreed to in writing by both parties.
Governing Law
This BAA shall be governed by and construed in accordance with the laws of the State of California and applicable federal law, including the HIPAA Rules. In the event of a conflict between this BAA and the HIPAA Rules, the HIPAA Rules shall prevail.
Questions about our BAA?
Our compliance team is available to discuss the details of this agreement.
Contact info@gotovasl.com