Your BAA is signed before production patient data is stored
Every clinic organization on Fizy Health executes a Business Associate Agreement during onboarding — before live patient records are stored in production. The BAA covers Fizy Health's role as a business associate processing PHI on behalf of covered clinics: permitted uses, safeguards, subprocessors, breach-notification commitments, and alignment with HIPAA expectations. Multi-location groups operate under one org with clinic-scoped staff access.
Compliance leads searching Fizy Health BAA or business associate agreement need timing, scope, and where platform safeguards are documented beyond the contract.
What the Fizy Health Business Associate Agreement covers
A BAA is the legal bridge between your clinic as covered entity and Fizy Health as business associate. Signing before production PHI means legal and ops can approve the platform on documented terms — while technical safeguards on the Security page show how those commitments are implemented in product.
-
Timing
Executed during onboarding — not after go-live
Fizy Health does not store production patient data until the BAA is in place. That lets compliance teams check the legal box before the first real order — a common diligence requirement for cash-pay and telehealth operators switching pharmacy vendors.
-
Scope
PHI processed to operate clinic ordering
The BAA covers PHI Fizy Health processes to provide pharmacy ops software: patient demographics tied to orders, cart lines, checkout, routing, and fulfillment coordination. Marketing-site visitors who never create a clinic account are outside production PHI scope.
-
Safeguards
Contractual commitments backed by platform controls
Tenant isolation, audit trails on patient-linked activity, encrypted transport, least-privilege roles, and PHI-safe logging implement BAA safeguard expectations. The Security page documents these controls for questionnaires that go beyond the agreement itself.
-
Organizations
One BAA per clinic organization
Multi-location groups sign at the organization level and manage several clinics under one account. Staff access remains scoped to assigned clinics so the BAA's minimum-necessary pattern matches how teams actually work on refill day.
BAA plus Security documentation for clinic diligence
Who needs a Fizy Health BAA before ordering?
You are a covered entity storing patient data for pharmacy ordering.
- Legal requires a signed BAA before any vendor stores PHI — Fizy Health signs during onboarding.
- You operate multiple clinic sites and need one org with clinic-scoped staff under a single agreement.
- You want contractual breach-notification and safeguard language aligned to HIPAA business associate rules.
You are not placing production patient data on the platform.
- You are only browsing the marketing site or guest catalog with no clinic account — no production PHI, no BAA yet.
- You need a custom BAA with non-standard terms — discuss enterprise requirements before onboarding.
- You are evaluating software that will never touch patient identifiers — confirm scope with your compliance lead.
Production workflows on governed infrastructure
Once the BAA is executed and your org is verified, these are the audited surfaces clinic teams use daily.
-
Patient-linked cart on audited infrastructure
Build refill-day carts with every line tied to a patient — reads and mutations record audit events per platform standards.
-
Validation before PHI-linked checkout
Cart validation runs before payment on patient-associated lines — fewer rejections and clearer accountability after the BAA is in place.
-
Routing with fulfillment audit trail
Post-checkout routing to 503A partners maintains per-line records compliance teams can reference during access review.
BAA questions clinics ask about Fizy Health.
- Timing
When is the Fizy Health BAA signed?
The Business Associate Agreement is executed during onboarding before your organization stores live patient data in production. Clinics should plan for legal review during signup — not after the first refill batch is entered.
- Scope
What PHI does Fizy Health process under the BAA?
Fizy Health processes PHI needed to operate clinic ordering: patient identifiers tied to cart lines, checkout, routing, and order status. The Privacy Policy describes collection and use; the BAA governs processing on behalf of covered clinics.
- Multi-site
One BAA for multiple clinic locations?
Yes. Multi-location groups operate under one organization with clinic-scoped staff access. The BAA is at the org level; row-level security enforces boundaries between sites.
- Subprocessors
Does the BAA cover pharmacy and payment partners?
Fizy Health shares information with subprocessors needed to operate the service — including payment processors and pharmacy fulfillment partners — under contractual protections aligned to HIPAA expectations. Order routing to 503A partners is at your direction as part of fulfillment.
- Diligence
Can we get a copy before signup?
Contact support@fizy.health or use the contact form for BAA and security documentation requests. Enterprise prospects can receive additional materials under NDA alongside the public Security page.
Sign your BAA. Then order with confidence.
Onboarding includes executing the Business Associate Agreement before production PHI — paired with Security controls your compliance team can review today.