Business Associate Agreement (BAA)

Last updated: February 17, 2026

1. Purpose

This Business Associate Agreement ("BAA") is entered into between the covered entity ("Covered Entity") and FileChute ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH").

This BAA governs the handling of Protected Health Information (PHI) when the Covered Entity uses FileChute to collect documents that may contain health-related information.

2. Obligations of Business Associate

FileChute agrees to:

  • Not use or disclose PHI other than as permitted or required by this BAA or as required by law
  • Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA
  • Ensure that any agents or sub-contractors that create, receive, maintain, or transmit PHI agree to the same restrictions
  • Make PHI available to the Covered Entity as required to satisfy data subject access rights under HIPAA

3. Security Safeguards

FileChute implements the following safeguards for PHI:

  • Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls: Row-level security ensures strict tenant isolation; signed URLs for file access
  • Authentication: Email/password + OAuth + optional TOTP two-factor authentication
  • Audit logging: Centralized activity logs track all file uploads, downloads, and access events
  • Password protection: Optional request-level password protection for sensitive document collections
  • IP whitelisting: Configurable IP-based access restrictions (Pro plan)

4. Breach Notification

In the event of a breach of unsecured PHI, FileChute will notify the Covered Entity without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification will include:

  • A description of the nature of the breach
  • The types of information involved
  • Steps taken to investigate and mitigate the breach
  • Contact information for further inquiries

5. Term and Termination

This BAA remains in effect for the duration of the service agreement. Upon termination, FileChute will return or destroy all PHI within 30 days, retaining no copies except as required by law.

6. Permitted Uses and Disclosures

FileChute may use or disclose PHI only as necessary to perform its obligations under the service agreement, including:

  • Storing and transmitting files uploaded by authorized recipients
  • Sending notifications and reminders as configured by the Covered Entity
  • Generating reports and analytics for the Covered Entity
  • Proper management and administration of the Business Associate's operations as required by law

7. Availability

A signed BAA is available to Pro plan customers. To request a BAA, contact us at compliance@filechute.com.