Vertix.

HIPAA Compliance

Business Associate Agreement

Last updated: May 1, 2026 · Currently available to licensed clinicians in the United States.

Vertix is a HIPAA Business Associate. A Business Associate Agreement (BAA) is included with every paid plan at no additional cost — Solo, Professional, and Clinic.

1. What the BAA covers

The BAA contractually binds Vertix to comply with the HIPAA Privacy and Security Rules (45 CFR §§ 164.500–534) when processing Protected Health Information (PHI) you upload, including:

  • Permitted uses and disclosures of PHI.
  • Safeguard requirements (administrative, physical, technical).
  • Subcontractor flow-down provisions — every subprocessor signs a BAA before any PHI is processed.
  • Breach notification within 60 days of discovery (internal target: 48 hours).
  • Termination rights and PHI return/destruction obligations.
  • Audit rights for covered entities.

2. How to obtain your BAA

The BAA is available immediately on signup of any paid plan:

  • From Settings → Compliance → BAA in your Vertix account.
  • By email to [email protected].

Standard BAA is electronically signed via DocuSign. Enterprise customers may request a customized BAA for review by their compliance team.

3. Free tier and BAA

The Free tier does not include a BAA and should not be used to process PHI. Free-tier accounts may be used for evaluation, training, or de-identified case examples only.

4. Subprocessors

The current subprocessor list is published at /security#subprocessors and updated within 30 days of any change. All subprocessors that may handle PHI have signed BAAs with Vertix.

5. Data residency

By default, PHI is stored in AWS US East and US West regions. The BAA contractually guarantees that PHI remains in your selected residency region (US-only by default).

6. Breach notification

In the event of a security incident affecting PHI, Vertix will notify affected covered entities per the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414):

  • Initial notification: within 48 hours of discovery (internal SLA).
  • Formal notification: within 60 days of discovery (HIPAA maximum).
  • Full incident report: root cause, affected records count, containment, remediation.

7. Audit and inspection rights

Covered entities have the right to audit Vertix's HIPAA compliance, on reasonable notice, no more than once per year (more frequent in case of a documented incident). We provide:

  • Security questionnaire (SIG, CAIQ, or custom).
  • Penetration test executive summary (annual, by independent third party).
  • SOC 2 Type II report (audit target Q4 2026 · report target Q1 2027).

8. Enterprise BAA

Health systems and large clinics with custom data processing requirements should request the Enterprise BAA. It includes additional terms covering dedicated VPC, custom retention, custom indemnification, and dedicated breach response. Contact [email protected].

9. Questions

Compliance questions: [email protected].

Questions about this document? Reach our compliance team.

Contact complianceBack to home