Legal
Business Associate Agreement
Last updated: June 10, 2026
HIPAA and your practice
ABA practices are HIPAA covered entities, and any software vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on their behalf must do so under a Business Associate Agreement (BAA). Onvelas operates as a Business Associate and executes a BAA with every customer organization before PHI is processed on the platform.
What our BAA covers
- Permitted uses and disclosures of PHI, limited to providing the Onvelas service.
- Safeguards — encryption in transit and at rest, role-based access control, audit logging, and organization-level data isolation.
- Breach notification obligations and timelines.
- Subcontractor (downstream business associate) requirements.
- Data return or destruction at termination, at the customer’s direction.
- Support for patient access and accounting-of-disclosures requests.
How to execute a BAA
A BAA is included with every Onvelas plan at no additional cost and is executed during onboarding, before your team enters any patient data. Enterprise customers may request review of custom BAA terms.
To request a copy of our standard BAA or ask questions, contact support@onvelas.com or include a note in your access request.
Related
See our Privacy Policy for how we handle information generally, and our Terms of Service for the terms governing the platform.