Business Associate Agreement
Summary — Last updated: July 3, 2026
This page is a plain-language summary of the Swipe Savvy HIPAA Business Associate Agreement. It is not the executed agreement and does not modify it.
1. Purpose
When a Covered Entity or upstream Business Associate uses Savvy Health and related services in a way that requires Swipe Savvy, Inc. ("Swipe Savvy") to create, receive, maintain, or transmit Protected Health Information ("PHI") on the customer's behalf, Swipe Savvy acts as the customer's Business Associate. The Business Associate Agreement ("BAA") sets out the parties' obligations for PHI and is designed to satisfy HIPAA, including 45 CFR 164.502(e), 164.504(e), 164.308(b), and 164.314. For PHI, the BAA controls over our other terms.
2. Permitted Uses of PHI
We use and disclose PHI only as necessary to provide, operate, secure, support, and administer the Services for the customer, and only as permitted by the BAA, the underlying agreement, HIPAA, or as required by law. We apply minimum-necessary principles and will not use or disclose PHI in a way that would violate HIPAA if done by the customer.
3. No Sale; No Model Training; De-Identification
We do not sell PHI and do not use PHI for prohibited marketing. We do not use PHI to train generalized, foundation, or third-party AI models, and we require AI vendors that handle PHI to agree in writing to the same. We may de-identify PHI in accordance with 45 CFR 164.514; de-identified and aggregated data is not PHI and may be used for analytics, benchmarking, product improvement, security, operations, and research.
4. Safeguards
We maintain appropriate administrative, physical, and technical safeguards and a written information-security program to protect the confidentiality, integrity, and availability of ePHI, consistent with the HIPAA Security Rule. We do not represent that we hold SOC 2, HITRUST, ISO 27001, or any other specific certification unless expressly stated in a signed writing.
5. Breach and Security Incident Notice
We will report to the customer any use or disclosure of PHI not permitted by the BAA of which we become aware, and will notify the customer of a Breach of Unsecured PHI without unreasonable delay and no later than ten (10) business days after discovery, with the information reasonably available to support the customer's notification obligations. We will report reportable Security Incidents and will mitigate known harmful effects to the extent practicable.
6. Subcontractors and Offshore Access
We require subcontractors that handle PHI on our behalf to agree in writing to protections at least as strict as those required by HIPAA and the BAA. Laboratory integration is provided through a partner only after an appropriate written agreement is executed — no production PHI is transmitted to a lab partner beforehand. Support may be provided by personnel located outside the United States, including in the Philippines, under confidentiality, minimum-necessary, access-control, logging, and training obligations. See our Subprocessors page.
7. Individual Rights and HHS Access
Where we maintain PHI in a Designated Record Set, we will make it available to support the customer's obligations regarding individual access, amendment, and accounting of disclosures under HIPAA. We will make our relevant practices, books, and records available to the U.S. Department of Health and Human Services as required.
8. Return or Destruction of PHI
Following termination, we will make PHI available for export for at least forty-five (45) days and will, if feasible, return or destroy remaining PHI. PHI may persist in encrypted backups, archives, and logs until deleted or overwritten under our retention schedules, and will remain protected under the BAA.
9. Governing Law
The BAA is governed by the laws of the State of Florida, without regard to conflict-of-law rules, with venue in Orange County, Florida, unless a signed order form states otherwise. Nothing in our agreements limits either party's obligation to comply with HIPAA, 42 CFR Part 2, or other applicable law.
10. Requesting the Executed Agreement
This summary is provided for convenience and highlights key points only. To request the full executed Business Associate Agreement for your account, contact legal@swipesavvy.com. See also our Healthcare Terms and Healthcare Privacy Notice.