Dōsys
Legal

Business Associate Agreement

HIPAA Compliance for Institutional Customers

Overview

A Business Associate Agreement (BAA) is a legal contract required under the Health Insurance Portability and Accountability Act (HIPAA) between a covered entity (such as a hospital or health system) and a business associate (a vendor that may access, transmit, or store Protected Health Information on behalf of the covered entity).

Vancomyzer™ v1.0 & PHI

Vancomyzer™ Version 1.0 does not store, transmit, or process Protected Health Information (PHI) under its current architecture.

All patient data entered into the Vancomyzer calculator is processed in-session on the client side and is not persisted to any Dōsys server, database, or log. Because no PHI touches Dōsys infrastructure, a BAA is not technically required for the current version of Vancomyzer.

However, we understand that many institutional procurement processes require a BAA regardless of architecture. We are happy to execute one.

BAA Availability

Business Associate Agreements are available for institutional customers on the Department / Hospital Plan. A BAA is included in every institutional contract that involves PHI handling (e.g., EMR integration), and is available upon request for any other Department / Hospital deployment.

BAAs are not required for the Free or Individual Pro plans, as these tiers do not involve PHI handling. However, if your compliance team requires documentation, please contact us.

What Our BAA Covers

Our standard BAA addresses:

  • Permitted uses and disclosures of PHI
  • Safeguards to prevent unauthorized use or disclosure
  • Breach notification obligations and timelines
  • Return or destruction of PHI upon contract termination
  • Compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule

Breach notification timeline

Dōsys will notify the covered entity of any actual or reasonably suspected breach of unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery, as required by 45 CFR §164.410 (HIPAA Breach Notification Rule).

Future HIPAA Infrastructure

As Dōsys expands into EMR integration and enterprise features that may involve PHI, we are building toward:

  • SOC 2 Type II certification
  • HIPAA-compliant cloud infrastructure (encrypted at rest and in transit)
  • Access controls, audit logging, and role-based permissions
  • Regular third-party security assessments

Request a BAA

To request a Business Associate Agreement or discuss HIPAA compliance requirements for your institution, please contact:

Dosys Health LLC
McAllen, Texas
legal@dosys.health

Contact Us