Who needs a BAA
You need a BAA if:- Your application stores patient health data (demographics, diagnoses, medications, encounters, etc.)
- Your organization is a HIPAA covered entity (healthcare provider, health plan, or healthcare clearinghouse)
- Your organization is a business associate of a covered entity
How to request a BAA
Upgrade to a paid plan
Sign in to the Developer Dashboard and upgrade to Starter or above.
BAA availability by plan
| Plan | BAA available |
|---|---|
| Sandbox (free) | No |
| Starter ($49/mo) | Yes |
| Pro ($499/mo) | Yes |
| Team ($1,999/mo) | Yes |
| Enterprise (custom) | Yes — custom terms |
What the BAA covers
The ClinikAPI BAA documents the technical and administrative safeguards ClinikAPI provides on your behalf:- Storage: clinical data is stored in AWS HealthLake with AES-256 encryption at rest using AWS-owned KMS keys.
- Transit: all API endpoints use TLS 1.2 or higher.
- Access controls: API key authentication with tenant isolation enforced at the query layer.
- Audit logging: every API request is logged with FHIR resource context and retained for 90 days.
- Data isolation: resources are tagged per tenant; cross-tenant access is blocked at the gateway.
- Breach notification: ClinikAPI will notify you within 60 days of discovering a breach, per HIPAA requirements.
The BAA covers ClinikAPI’s managed infrastructure, including AWS HealthLake. It does not extend to third-party services you connect to outside of ClinikAPI.