HIPAA BAA

Legacy Labs enters into a Business Associate Agreement (BAA) with every covered entity or business associate we serve under HIPAA. Our template BAA is available on request and negotiable in scope, liability, and incident response timing.

A standard HIPAA BAA covering our obligations as a business associate: permitted uses and disclosures, safeguards, subcontractor flow-down, breach notification, and termination. We can sign your template or provide ours.

On request, we will also sign a Data Processing Agreement (DPA) consistent with GDPR and CCPA obligations, and — where your counsel requires — a custom addendum for state-level healthcare regulations.

• Zero-retention LLM gateway routing to BAA-covered providers.
• Deployment inside your cloud tenant (AWS, GCP, Azure) under your VPC.
• PHI redaction layer applied before any third-party model call.
• Per-tool least-privilege service accounts with scoped audit trails.
• Human-in-the-loop reviewer gates on any PHI-touching action.
• Encryption at rest (AES-256) and in transit (TLS 1.2+) end-to-end.

Email security@getlegacylabs.com with your entity name, contact, and preferred template. We turn BAA requests around in one to three business days — usually faster.