Skip to main content

HIPAA and BAA

Profound Health operates as a Business Associate (BA) to partner practices delivering CoCM services. Our Business Associate Agreement (BAA) enumerates the safeguards, data handling rules, and breach notification timelines we commit to.

Regulatory Scope

  • Covered Entities: Independent PCP practices, FQHCs, and health systems contracting Profound Health for integrated behavioral health services.
  • Protected Health Information (PHI): Clinical notes, measurement results, medication lists, and scheduling metadata synchronized through Supabase and external integrations.
  • Subcontractors: LiveKit, Twilio, SendGrid, Stripe, pVerify, and analytic tooling are all subject to downstream BAAs or HIPAA-eligible agreements.

Safeguards

SafeguardImplementation
AdministrativeAnnual risk assessments, workforce training, incident response drills, and least-privilege access reviews.
PhysicalSupabase and Azure host data in SOC 2 / HITRUST-certified facilities with redundant regional failover.
TechnicalEnd-to-end encryption, strict RLS enforcement, encrypted backups, and mandatory MFA through Entra ID.
Breach Notification Window

We notify partners within 72 hours of discovering an incident that affects PHI. Severity classifications are documented in the Incident Response Playbooks (private) (private).

Documentation

  • BAA templates live in the compliance/baa_templates table and version with Pulumi-managed storage.
  • Executed BAAs are stored as immutable PDFs with hash verification and linked to partner records.
  • Evidence (policies, audits, attestations) is tracked in the private SOC Evidence Index (private).

Ongoing Compliance

  • Quarterly internal audits validate that RBAC and RLS rules match partner contracts.
  • Automated guards prevent exporting PHI to non-compliant destinations; all exports require an approved purpose tag.
  • Security posture reviews are shared with partners during onboarding and annually thereafter.

Partners can request the latest BAA version or supporting documentation through the Partner Ops Portal.

Last updated October 1, 2025 by Profound Health.
© 2025 Profound Health Institute.HIPAA Compliant - BAA Available