Signing the Business Associate Agreement (BAA)

The Business Associate Agreement (BAA) is a HIPAA-required contract between your agency (the Covered Entity) and SOAP Note Buddy (the Business Associate). The agency admin signs it once on behalf of the entire agency, and it covers every clinician on the plan.

Why this matters

Under HIPAA, any service that handles Protected Health Information (PHI) on a covered entity’s behalf must have a signed BAA in place. Without a signed BAA, your agency cannot legally use SOAP Note Buddy with patient data.

The agency-level BAA is one of the core reasons to use the Agency Plan vs. individual subscriptions: one contract on org letterhead, not 20 individual click-through acceptances.

When you sign it

Right after you complete your Agency Plan checkout. The dashboard shows a yellow banner at the top — “Sign your agency’s BAA to activate” — and most admin features (inviting, seat changes, domain auto-join, etc.) are locked until you sign.

How to sign it

1. Open /admin/agency → BAA & Compliance tab.
2. Read the full BAA text. It’s version 2.0 and covers:
   • How we handle your data (local storage, Firestore cloud, AI processing, voice)
   • Our security commitments (HIPAA infrastructure, encryption, breach notification)
   • Your responsibilities (review AI content, device security, professional judgment)
   • Subcontractors (Google Cloud Platform, Stripe, AWS SES — all with BAAs)
   • Data rights, breach notification, termination, contact info
3. Enter your full legal name as it appears on official agency documents.
4. Sign in the signature box — mouse, trackpad, or finger if on a tablet.
5. Click Sign BAA.

After you sign:

• The yellow warning banner disappears
• All admin features unlock
• The signed-by record and your signature image are shown in the BAA tab
• The Download Signed PDF button activates

Download the signed PDF

Open the BAA tab and click Download Signed PDF. You get a real PDF with:

• The full BAA v2.0 text
• Your full legal name
• The exact signed date and time (UTC)
• The IP address you signed from
• Your signature image embedded

Filename: BAA_<your-agency-name>.pdf. Forward it to your bookkeeper or save it in your compliance file.

Do my clinicians also sign their own BAA?

By the org-level BAA’s legal terms — no. Your agency BAA covers every clinician on the plan.

That said, the SOAP Note Buddy app and Chrome extension still prompt each clinician with their own BAA on first login (an in-app modal). This is defensive belt-and-suspenders rather than a legal requirement — it’s a personal acknowledgment that the clinician has read the terms, separate from the agency-level contract. Clinicians click “I Accept” once on first use, never again. It does not change anything about the agency’s BAA coverage.

What about clinicians invited later?

The same agency BAA covers anyone you add later — invites, bulk imports, or domain auto-join. No additional signing needed at the org level.

Changing the BAA

The BAA version is v2.0. If we update the terms (rare), you’ll be notified and the agency admin will be asked to re-sign on behalf of the org.

FAQ

What if I made a typo in my name? Email [email protected]. We can void the existing signature and let you re-sign.

Can someone other than the original admin re-sign? The current admin signs. If admin changes, promote a new admin first, then they can re-sign if needed.

I never got the option to sign — went straight to a paywall. That means you don’t have an admin role on an agency. Either you weren’t the buyer (your admin needs to sign), or you’re on an individual subscription rather than an Agency Plan.