Jane App BAA: How to Request and Sign a HIPAA Business Associate Agreement

Jane App HIPAA Compliance Overview

A HIPAA Business Associate Agreement (BAA) defines how a vendor safeguards protected health information (PHI) on your behalf. When you use Jane App to create, receive, maintain, or transmit electronic PHI (ePHI), Jane acts as your Business Associate and a signed BAA is required for HIPAA Compliance.

The Jane App BAA outlines permitted uses of ePHI, safeguards for Patient Data Security, breach notification duties, and responsibilities at termination. It complements—not replaces—your internal privacy and security program, workforce training, and patient authorization processes.

Requesting a Business Associate Agreement

To request a BAA from Jane App, first confirm you are the account owner or an authorized signer for your organization. Gather your legal entity name, address, and a compliance contact so the agreement can be prepared without delays.

• Sign in to your Jane App administrator account and open the support or account settings area to initiate a Business Associate Agreement request.
• Provide your practice details and the email address of the authorized signer.
• Review the standard BAA you receive, confirm that the covered services match your Jane subscription, and e-sign.
• After countersignature, store the fully executed BAA in your compliance repository and note the effective date for audits.

If your legal team requires changes, request an amendment before signing. Keep the BAA aligned with how you actually use Jane App to manage ePHI.

Coverage and Scope of Jane App BAA

The Jane App BAA covers ePHI processed through Jane’s core services you use in your practice operations, such as patient intake, scheduling, documentation, billing workflows, secure messaging, and other in‑platform activities supporting care and payment. It applies to PHI your organization creates, receives, maintains, or transmits via those services.

Permitted uses typically include providing and improving the contracted services, meeting legal obligations, and supporting security, availability, and reliability. Disclosures are limited to what HIPAA permits, including the minimum necessary standard. Subcontractors engaged by Jane must provide comparable protections.

Items outside the service boundary—like third‑party tools you connect, exports you store on your own systems, or communications conducted outside Jane—are generally not covered unless you have separate BAAs with those providers.

Security Measures Implemented by Jane App

Jane App uses layered controls to protect ePHI. While implementation details may evolve, the following practices illustrate the platform’s approach to Patient Data Security and HIPAA Compliance.

• Encryption in Transit: ePHI transmitted between your browser, devices, and Jane’s services is protected using modern transport encryption to prevent interception.
• Encryption at Rest: Stored data is encrypted to mitigate risks from unauthorized access to underlying media.
• Role-Based Access Control: You assign roles and permissions so users see only the information needed for their job functions.
• Audit Logging: Access and key actions are logged to support investigations, accountability, and compliance reviews.
• Availability and Resilience: Redundancy, backups, and recovery procedures help safeguard continuity and data integrity.
• Secure Development and Testing: Change management, vulnerability management, and periodic assessments reduce security defects.
• Identity and Access Management: Options such as strong passwords, session controls, and multi-factor authentication help protect accounts.

Data Handling and Exclusions in Jane App BAA

Within scope are ePHI elements stored or processed in Jane App, including demographics, clinical notes, financial and claims data, and documents you upload. These data are handled under the safeguards and restrictions defined in the BAA.

Common exclusions include: PHI sent through unencrypted channels outside the platform (for example, conventional email or SMS you send from personal devices), third‑party add‑ons or integrations without their own BAAs, data you export and store on local systems, and de‑identified or aggregated analytics that do not identify individuals. Authentication secrets and certain operational logs may also fall outside the definition of PHI, though they remain protected by security controls.

Subscriber Responsibilities for Patient Data

Your organization shares responsibility for Patient Data Security. HIPAA requires you to apply administrative, physical, and technical safeguards alongside the vendor’s controls.

• Configure Role-Based Access Control so each workforce member has the minimum necessary access; use unique accounts and promptly remove access when roles change.
• Enable strong authentication, consider multi-factor authentication, and enforce secure password practices on all accounts.
• Secure endpoints: encrypt devices, apply patches, prevent unauthorized storage of PHI, and control local downloads and exports.
• Train staff on HIPAA, privacy practices, secure messaging, and phishing awareness; document attendance and sanctions.
• Review Audit Logging routinely to detect unusual access and fulfill investigation obligations.
• Maintain BAAs with your downstream service providers (e.g., email, storage, billing clearinghouses) and complete periodic risk analyses.
• Establish incident response, breach notification, retention, and data disposal procedures that align with your Jane App BAA.

Signing and Managing the BAA Agreement

Only an authorized representative of your organization should sign the BAA. Store the fully executed, countersigned version with its effective date, and track renewal or amendment cycles. Ensure your workforce understands any operational limits the agreement sets.

• Version control: archive prior versions and document when changes take effect.
• Amendments: request updates if your use of Jane App or legal entity details change.
• Termination: plan how ePHI will be returned or deleted and the timeline for that process.
• Documentation: keep evidence of configuration, training, and risk assessments aligned to the BAA’s commitments.

Summary and Next Steps

The Jane App BAA formalizes how ePHI is protected and clarifies each party’s duties. Request the agreement from your admin account, review and e‑sign, retain the countersigned copy, and keep your configurations, access controls, and training aligned with the BAA and HIPAA requirements.

FAQs

How do I request a BAA from Jane App?

Sign in as an administrator, open the support or account settings area, and submit a Business Associate Agreement request with your legal entity and signer details. You will receive a standard BAA to review and e‑sign. After countersignature, save the final copy in your compliance records and note the effective date.

What patient data does the Jane App BAA cover?

It covers ePHI you create, receive, maintain, or transmit within Jane’s core services—such as demographics, clinical documentation, scheduling and operational details related to care, billing and insurance information, and documents you upload. Data handled outside the platform or by third parties without their own BAAs is generally out of scope.

What security measures does Jane App implement?

Jane employs Encryption in Transit, Encryption at Rest, Role-Based Access Control, and Audit Logging, alongside identity protections, backups, and resilient operations to support Patient Data Security. These layered controls help prevent unauthorized access, support accountability, and maintain availability.

Does the Jane App BAA include patient authentication data?

Authentication credentials (such as passwords or MFA tokens) are typically not classified as PHI under HIPAA and may not be explicitly covered by the BAA’s PHI provisions. However, they remain protected by platform security controls and should be safeguarded through strong authentication and access management. Review your executed BAA for the exact language.