HIPAA – Business Associate Agreement (BAA)
Understanding Our BAA: HIPAA Compliance for Therapists
Last Updated: May 5th, 206 | Version: 1.0
At 2ConnectMe, we take your privacy and compliance seriously. This page explains our Business Associate Agreement (BAA) in plain English. The full legal document is available for download below.
2ConnectMe HIPAA – Business Associate Agreement (BAA) download
What is a BAA? (And Why Do You Need One?)
A Business Associate Agreement (BAA) is a written contract required by HIPAA law. It defines how we (2ConnectMe, the “Business Associate”) protect your patients’ health information when you use our platform.
Without a signed BAA, you cannot legally use any video platform for telehealth with US patients. We provide one automatically with all paid plans.
The 60-Second Summary: What Therapists Need to Know
| Your Concern | How 2ConnectMe Addresses It |
|---|---|
| Can you read my session video chats? | No. Your chat records are encrypted with a password only you know. We have zero access. |
| What if I lose my password? | Recovery words let you reset your password on a trusted device. Store them offline. |
| Are patient records protected? | Yes. AES-256 encryption (military-grade) for all data at rest. |
| Is video secure? | Yes. TLS 1.3 encryption for all data in transit. |
| Who is liable if something goes wrong? | Our liability is capped at 12 months of your subscription fees. Fair and transparent. |
| How do I prove compliance? | Audit logs track every login and action. Retained for 6 years. |
| What about mobile devices? | MFA required. Biometric unlock (Face ID / Touch ID) supported. |
Key Protections Built Into Your BAA
1. Zero-Knowledge Encryption (Your Notes Are Yours Alone)
What it means: Your session chat records are encrypted on your own computer using a password that only you know. We cannot access, read, or recover your notes—even if a court asks us.
Why it matters: Unlike most telehealth platforms that store your transcripts on their servers, 2ConnectMe gives you true privacy.
“Business Associate has no access to, knowledge of, or ability to recover this password.” — Article 3.1
2. Patient Security (Simple and Protected)
What it means: Your patients’ chat records are encrypted with AES-256. They join with a simple link—no passwords to create, no apps to download.
What we cannot do: If a patient loses their device, we cannot recover their chat history. We believe in honesty, not marketing claims.
“Business Associate cannot recover patient chat records after patient device loss.” — Article 4.2
3. Audit Logs (Your Compliance Trail)
What it means: Every login, session start, and session end is logged with:
- User ID and timestamp
- IP address and device identifier
- Action performed
Retained for 6 years as HIPAA requires. Self-service access for the last 90 days is free. Older logs are available for a retrieval fee.
“Audit logs shall be retained for a minimum of six (6) years from creation date.” — Article 5.2
4. Multi-Factor Authentication (MFA)
What it means: All therapist accounts require MFA. On mobile, you can use Face ID or Touch ID to resume sessions—no endless password typing.
“Biometric unlock (Face ID / Touch ID) is permitted for resuming a locked session.” — Article 8.3
5. Automatic Logout (Security Without Friction)
What it means:
- Therapists: Auto-logout after 15 minutes of inactivity
- Clinic dashboards: Auto-logout after 45 minutes (for waiting room displays)
Why the difference: Clinic dashboards showing de-identified queue information don’t contain patient names or clinical data.
“Dashboard displays only de-identified queue status — no clinical PHI.” — Article 7.2.1
6. Fair Liability Terms
What it means: Our liability is capped at 12 months of your subscription fees paid. We don’t claim liability for things outside our control (e.g., a lost laptop with encrypted data).
“Business Associate’s total cumulative liability… shall not exceed the total subscription fees actually paid.” — Article 11.1
How the BAA Protects You (And When It Doesn’t)
| Scenario | Is BA Liable? | Why |
|---|---|---|
| 2ConnectMe’s server is breached | ✅ Yes | BA controls its infrastructure |
| Encryption software fails (bug) | ✅ Yes | BA provides the encryption |
| Your laptop is stolen (data encrypted) | ❌ No | BA cannot prevent physical theft |
| You lose your encryption password | ❌ No | BA has no access to your password |
| Patient loses their device | ❌ No | Data resides on the lost device |
BAA Eligibility: Who Qualifies?
| Plan | BAA Included? | Notes |
|---|---|---|
| Free Plan | ❌ No | For testing only. Not HIPAA-compliant. |
| Professional Plan ($9.99/month) | ✅ Yes | Full BAA included. |
| Group Practice Plan ($49.99/month) | ✅ Yes | Full BAA included for all providers. |
“This BAA shall become effective only if and when the Covered Entity maintains an active, paid subscription.” — Article 13.1
How to Get Your BAA
- Sign up for a Professional or Group Practice plan
- Download the BAA from your account dashboard
- Print, sign, and scan two copies (electronic signatures are not accepted)
-
Email one signed copy to
baa@2connectme.com - Receive our countersigned copy within 10 business days
“Electronic signatures (e.g., DocuSign, clickwrap) are not accepted for this Agreement.” — Article 13.1
Download Links
| Document | Format | Link |
|---|---|---|
| Full BAA (Legal Document) | [Download BAA v1.0] | |
| BAA Summary (One Page) | [Download Summary] | |
| Patient Disclosure Form | [Download Form] |
Frequently Asked Questions
Q: Do I need a BAA if I only see patients in Hong Kong?
No. The BAA is for US-based therapists and patients subject to HIPAA. For Hong Kong therapists, we provide a Data Processing Agreement (DPA) instead.
Q: Can I use the Free Plan for telehealth?
No. The Free Plan does not include a BAA and should not be used for any US patient telehealth. It is for testing only.
Q: What if I lose my encryption password?
Use your recovery words on a device you’ve previously logged into. Keep them on handwritten paper, not digitally.
Q: How long does it take to get a signed BAA?
We return countersigned copies within 10 business days of receiving your signed copy.
Q: Can I use electronic signatures?
No. HIPAA BAAs require physical signatures. Print, sign by hand, scan, and email.
Q: What if a patient’s device is lost?
We cannot recover patient chat records. The data is stored locally on their lost device. We disclose this clearly to patients.
Still Have Questions?
Our compliance team is here to help.
📧 BAA Support: baa@2connectme.com
📧 HIPAA Support: hipaa.support@2connectme.com
Document Version History
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | May 5, 2026 | Initial release |