Home
Documentation
  1. HIPAA Compliance
  2. BAA and Compliance Administration

Business Associate Agreements

What You'll Learn

This article explains what a Business Associate Agreement (BAA) is, how it works between you and Knack, and what you need to know about third-party consultants and vendors. If you're on a Knack HIPAA plan, a BAA is required before you store any PHI.

What Is a BAA?

A Business Associate Agreement is a legally required contract between a covered entity (you) and a business associate (any vendor that handles PHI on your behalf). HIPAA requires this agreement to be in place before any PHI is stored, processed, or transmitted through the vendor's platform.

The BAA defines each party's responsibilities for protecting PHI, reporting breaches, and maintaining compliance. Without a signed BAA, using a platform to store PHI is automatically non-compliant, regardless of how secure the platform is.

The Knack BAA

When you sign up for a Knack HIPAA plan, a BAA is included. This agreement covers Knack's role as a business associate and outlines:

  • Knack's obligations for protecting PHI stored on the platform
  • How Knack handles data encryption, backups, and infrastructure security
  • Breach notification responsibilities
  • The scope of Knack's access to your data

The BAA is between Knack and you (the HIPAA customer). It applies to your use of the Knack platform and the data you store in it.

What the BAA Does Not Cover

The BAA covers the platform. It does not cover:

  • How you design, build, or operate your app
  • How your team accesses or handles PHI
  • Third-party services you connect to through the API or Flows
  • Consultants or developers you hire to build your app

These are your responsibility. Knack provides the infrastructure. You provide the compliant application and processes.

Working With Consultants and Developers

If you hire a consultant or developer to build your Knack app, be aware of how the BAA applies:

  • The BAA is between Knack and you. It is not an agreement between Knack and your consultant. Knack does not enter into BAAs with third parties hired by customers.
  • If your consultant will access PHI, you need a separate BAA with them. This is a direct agreement between your organization and the consultant, covering their responsibilities for protecting your data.
  • Consultants can be Authorized Users. Under Knack's Terms of Service, a third-party consultant may be considered an Authorized User if you authorize them to use the Knack Services on your behalf.
  • You are responsible for your consultant's compliance. You must ensure that your consultant complies with the Terms of Service and the HIPAA Customer Addendum.
📘

Bottom line: If someone is touching your app and your data, make sure there's a BAA in place between you and them. Knack's BAA only covers the Knack platform itself.

Third-Party Services and BAAs

If you connect your Knack app to external services through the API, Flows, or any other integration, the same principle applies. Each service that handles PHI needs its own BAA with you.

  • Verify that the third-party service is HIPAA compliant before connecting it
  • Sign a BAA with the service before sending any PHI to it
  • Knack cannot guarantee the security of data once it leaves the Knack environment

For more detail on third-party compliance, see Flows and Third-Party Compliance.

Next Steps

Updated about 8 hours ago