Skip to main content

Business Associate Agreement

Version 2025-09-20 · Last updated September 20, 2025

This Business Associate Agreement (“BAA”) is entered into between Bilateral Mind (EMDR Tappers), a technology platform provider with principal place of business at 1014 Broadway #1420, Santa Monica, CA 90403 (“Business Associate”), and the healthcare provider/practice accepting this agreement (“Covered Entity”).

Note: This BAA is executed electronically during therapist onboarding within the EMDR Tappers application. The summary below reflects the current template. The binding version is the one accepted within the app.

Article I — Definitions

Terms used in this BAA have the same meaning as in HIPAA and HITECH, including Breach, Protected Health Information (PHI), Electronic Protected Health Information (ePHI), Security Incident, and related terms.

Platform-specific definitions include the EMDR Tappers technology solution (web, mobile, Apple Watch), Session Data (PHI created during therapy sessions), Synchronization Events (real-time data exchanges between devices), and Covered Services (Services selected by Covered Entity).

Article II — Business Associate Obligations

Permitted Uses and Disclosures

Business Associate agrees to use and disclose PHI only as permitted by this BAA, as Required by Law, or as authorized in writing. Business Associate may create de-identified health information in accordance with 45 CFR § 164.514(b).

Safeguards

  • Implement administrative, physical, and technical safeguards for ePHI
  • Encrypt data in transit using industry-standard protocols (TLS/DTLS-SRTP)
  • Maintain audit logs of all PHI access and modifications
  • Conduct annual risk assessments
  • Store PHI in data centers with SOC 2 Type II certification
  • Implement multi-factor authentication where appropriate
  • Retain required HIPAA documentation for six (6) years

Reporting Obligations

  • Report non-permitted uses/disclosures within 72 hours
  • Report Security Incidents within 72 hours of discovery
  • Report Breaches of Unsecured PHI within 30 calendar days
  • Report unsuccessful Security Incidents quarterly

Subcontractor Management

Business Associate enters written agreements with all Subcontractors that handle PHI, containing provisions at least as protective as this BAA. A current list of Subcontractors is available upon request.

Individual Rights Support

  • Provide access to PHI within 30 days of request
  • Make amendments within 60 days as directed
  • Provide accounting of disclosures within 60 days

Article III — Covered Entity Obligations

  • Use the Platform only for legitimate healthcare operations
  • Ensure all users are trained on HIPAA requirements
  • Not submit PHI through non-secure channels
  • Obtain all necessary patient consents and authorizations
  • Provide only the minimum necessary PHI for the Services

Article IV — Term and Termination

  • Term: Effective upon acceptance; continues while Business Associate maintains PHI
  • Termination for Cause: 30 days written notice for material breach
  • Termination for Convenience: 14 days written notice by Business Associate
  • Effect: Return or destroy PHI within 60 days, or extend protections if infeasible

Article V — Liability and Indemnification

  • Neither Party liable for indirect, incidental, special, or consequential damages (except for willful misconduct)
  • Business Associate total liability capped at 12 months of fees or $100,000
  • Mutual indemnification for gross negligence and material breach
  • All clinical responsibility remains solely with Covered Entity

Article VI — General Provisions

  • Multi-device synchronization security maintained across all sessions
  • WebSocket and WebRTC connections secured with industry-standard encryption
  • Haptic feedback patterns treated as PHI when associated with sessions
  • Business Associate is a technology platform provider only — all clinical judgments, treatment decisions, and professional services are the sole responsibility of Covered Entity
  • Governed by California law; venue in Los Angeles County
  • 30-day good faith dispute resolution before litigation

Article VII — Notices

Business Associate:
Bilateral Mind, Attn: Privacy Officer
1014 Broadway #1420, Santa Monica, CA 90403
Email: help@emdrtappers.com

How to Sign

The BAA is executed electronically during therapist onboarding within the EMDR Tappers application. When you create a therapist account and accept the BAA, a record of your acceptance (name, title, organization, timestamp, and version) is maintained and available upon request.