BAA
Business Associate Agreement readiness
Last updated: June 19, 2026
Do not submit PHI to Bella before a signed BAA is in place. BAA execution and PHI onboarding approval are required before Bella can be used for protected health information.
Who needs a BAA
A BAA is required before a covered entity or business associate uses Bella to create, receive, maintain, or transmit PHI. If you are not sure whether your use case involves PHI, treat it as blocked until reviewed.
Request flow
- Email [email protected] and request BAA review.
- Include your organization name, legal entity, role in the HIPAA chain, expected PHI categories, and user count.
- We confirm vendor/subprocessor coverage for your workflow.
- Legal reviews and executes the BAA.
- PHI onboarding is enabled only after technical and operational controls are verified.
Before PHI access is enabled
- Customer BAA executed.
- All PHI-touching vendors covered by signed BAAs or removed from the PHI path.
- Admin/staff MFA enabled.
- RBAC and tenant isolation verified.
- Audit logging verified for PHI and admin actions.
- Logging, analytics, AI, and support tools confirmed PHI-safe.
- Backup restore and incident-response procedures tested.
Current status
The public marketing site is being kept PHI-free. The authenticated app must still complete app-side hardening, vendor verification, and legal review before it can be represented as PHI-ready.
