HIPAA and BAA Notice

HIPAA and Business Associate Agreement Notice

Last updated: May 4, 2026. This notice explains how EMDRSuite should communicate HIPAA and BAA status to therapists. It is not a standalone HIPAA compliance certification.

No automatic HIPAA claim

EMDRSuite should not be marketed as HIPAA compliant unless the operating entity, infrastructure, policies, access controls, audit processes, and vendor contracts support that claim.

BAA requirement

US covered entities or business associates may require a signed Business Associate Agreement before entering protected health information into EMDRSuite.

Customer responsibility

Therapists are responsible for determining whether HIPAA applies to their practice and whether a BAA or other healthcare privacy agreement is required.

Vendor chain

A HIPAA-ready setup may require BAAs or equivalent terms with hosting, database, email, support, analytics, payment, and other vendors that handle protected health information.

Minimum necessary

Therapists should enter only the minimum necessary patient information needed for the clinical workflow.

Requesting a BAA

Customers who require a BAA should contact legal@emdrsuite.com before storing protected health information.