Skip to main content

Business Associate Agreement

Business Associate Agreement

Last updated: April 1, 2026

Overview

This Business Associate Agreement (\"BAA\") summary describes the standard HIPAA terms Peerakeet generally uses when Peerakeet acts as a business associate or similar regulated service provider for a customer that uses Peerakeet services.

This public page is a summary for transparency only. It is not itself a contract and does not amend or replace any executed BAA, QSOA, MSA, or other customer agreement.

The full signable BAA — which may also serve as a Qualified Service Organization Agreement (QSOA) or other Part 2-compliant contract structure where applicable — is provided through Peerakeet\'s contracting workflow. Whether a BAA/QSOA is required depends on the customer\'s legal role, workflow, and the type of data involved.

Customer is solely responsible for determining whether data subject to 42 CFR Part 2 is processed through the Services. Customer shall not input, transmit, or process information subject to 42 CFR Part 2 unless a valid Qualified Service Organization Agreement (QSOA) or other applicable Data Compliance Addendum has been fully executed with Peerakeet. Peerakeet does not assume responsibility for identifying Part 2 data and may treat all data as not subject to 42 CFR Part 2 unless otherwise expressly agreed in writing.

Peerakeet provides infrastructure to facilitate communication, documentation, and workflow support. While Peerakeet may provide tools that enable moderation, structuring, or visibility into user activity, Peerakeet does not provide clinical services and does not supervise or direct care delivery. Peerakeet does not assume responsibility for the accuracy, appropriateness, or outcomes of user-generated content, communications, or any clinical, peer support, or treatment decisions made by Customer or its users.

Peerakeet may use subcontractors to support service delivery. Peerakeet remains responsible for ensuring such subcontractors are contractually bound to protect PHI in accordance with HIPAA. Customer acknowledges that such subcontractors may have access to PHI as necessary to perform services and that Peerakeet does not control their independent operations beyond such contractual obligations.

Definitions

  • Service Tiers: Peerakeet may offer Services under different service tiers (e.g., Starter, Professional, Enterprise), each of which may include different features, support levels, and contractual obligations. The specific tier applicable to Customer will be set forth in the applicable Order Form or Services Agreement.
  • No Transfer of Responsibility: Nothing in this Agreement, including any service tier, feature set, or support offering, shall be construed to assign Peerakeet responsibility for care delivery, clinical decision-making, supervision of personnel, or compliance with applicable healthcare or behavioral health laws, all of which remain solely the responsibility of Customer.
  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form.
  • Electronic Protected Health Information (Electronic PHI): PHI transmitted or maintained in electronic form.
  • Security Incident: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI, or interference with system operations.
  • Breach: Unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of PHI, as defined by HIPAA.
  • Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable through approved methods.

Obligations of Business Associate

Peerakeet agrees to:

  • Use and disclose PHI only as permitted by the BAA and applicable law.
  • Implement administrative, physical, and technical safeguards to protect PHI and Electronic PHI.
  • Apply minimum necessary standards for use and disclosure of PHI, as applicable.
  • Report Security Incidents involving Customer PHI without unreasonable delay.
  • Report Breaches of Unsecured PHI without unreasonable delay and in accordance with HIPAA notification requirements.
  • Ensure subcontractors handling PHI are bound by written terms that are no less protective than the BAA.
  • Support Customer obligations for access, amendment, and accounting of disclosures under HIPAA.
  • Make relevant records available to HHS for HIPAA compliance review when required.
  • Return or destroy PHI at termination when feasible, or continue protections if return or destruction is infeasible.

Permitted Uses and Disclosures

Peerakeet may use or disclose PHI:

  • To provide services under the applicable services agreement.
  • For proper management and administration of Peerakeet, where permitted by law and the BAA.
  • To carry out legal responsibilities as required by law.
  • For Data Aggregation and other HIPAA-permitted operations.
  • To report violations of law to appropriate federal or state authorities, as permitted by HIPAA.

De Identified Data

Peerakeet may de-identify PHI in accordance with HIPAA requirements (45 CFR § 164.514(a) and (b)). Once data is de-identified, it is no longer PHI and may be used for lawful purposes, including service operations, quality improvement, security, and product development.

Security Measures

Peerakeet maintains safeguards designed to protect PHI and Electronic PHI, including:

  • Encryption for PHI in transit and at rest.
  • Access controls and role-based permissions.
  • Audit logging and monitoring.
  • Policies, procedures, and workforce training aligned with HIPAA obligations.

Breach Notification

If Peerakeet discovers a Breach of Unsecured PHI, Peerakeet will notify Customer without unreasonable delay and in no case later than the deadline set in the executed BAA, consistent with 45 CFR § 164.410.

Notification includes, to the extent known, affected individuals, incident timing, types of information involved, mitigation steps, and contact information.

Term and Termination

The BAA remains in effect for the term of the underlying services agreement unless terminated earlier according to its terms. Upon termination, PHI is returned or destroyed when feasible, and protections continue for retained PHI where return or destruction is infeasible.

Suspension of Services

Peerakeet may suspend or restrict access to the Services, in whole or in part, upon written or electronic notice where reasonably necessary to: (a) address a Security Incident or suspected unauthorized access; (b) prevent or mitigate legal, regulatory, or compliance risk; (c) address a material breach of the applicable agreement; or (d) protect the integrity, availability, or security of the Services.

Peerakeet will use commercially reasonable efforts to limit the scope and duration of any suspension and to restore access promptly once the underlying issue is resolved.

Peerakeet is not responsible for monitoring or enforcing Customer's compliance with clinical, peer support, patient safety, or other regulatory obligations.

Request a Signed BAA

To request a signed Business Associate Agreement for your organization:

Contact Peerakeet

Email: support@peerakeet.com

Please include your organization name, contact information, and any specific requirements for your BAA.