Business Associate Agreement
Last updated: May 20, 2026
What is a BAA?
Under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate Agreement (BAA) is a contract between a Covered Entity (typically a healthcare provider, health plan, or healthcare clearinghouse) and a Business Associate (a vendor that handles Protected Health Information on behalf of the Covered Entity).
California FMS providers who use FMSLio to handle PHI about their participants generally need a BAA in place before doing so.
Does my FMS need a BAA with FMSLio?
If your organization handles PHI under HIPAA and uses FMSLio in ways that touch that PHI (e.g., storing participant medical information, sharing service records, or otherwise processing health-related data), a BAA is required before that use begins.
FMSLio's HIPAA-aware architecture
FMSLio is built with HIPAA compliance in mind:
- PHI fields encrypted at rest using AES-256-GCM
- TLS in transit
- Row-level security enforcing tenant-scoped access
- Comprehensive audit logging of access to PHI
- Workforce training on PHI handling
- Subprocessor list maintained and made available on request
How to request a BAA
To request a BAA, email contact@fmslio.com from your FMS account. Include your organization name, the name of the person authorized to sign on behalf of your organization, and a brief description of the PHI you intend to process through FMSLio.
We'll respond within five (5) business days with our standard BAA template for your review and signature.
Customer responsibilities
A BAA does not transfer all HIPAA responsibilities to FMSLio. Customers remain responsible for:
- Determining what data constitutes PHI
- Configuring access controls within FMSLio
- Workforce training on PHI handling
- Breach notification to affected individuals and HHS
- Other Covered Entity obligations under HIPAA + state law
Questions
For BAA-related questions, contact contact@fmslio.com. For general HIPAA practices, see the HIPAA Notice.