The summary. Workers' compensation billing involves PHI. DaisySync is architected so that no PHI ever touches our infrastructure — but we are still a Business Associate under HIPAA. A signed BAA between us is required before you process PHI through the add-on.
Request a DaisySync BAA
Send us your organization's legal name and signatory email. We'll email back a DaisySync BAA with your details filled in, ready for execution.
Based on HHS's model Business Associate Agreement — no unusual terms buried in the fine print.
DaisySync-specific clauses (clearly marked) describing the no-server-side-PHI architecture.
Reciprocal warranty requiring you to maintain your own Google Workspace BAA.
Same-business-day turnaround in most cases.
01Why you need one
HIPAA requires every Business Associate who processes PHI on behalf of a Covered Entity (or another Business Associate) to sign a Business Associate Agreement first (45 CFR §164.504(e)). Google Workspace itself is covered by Google's BAA — but third-party add-ons, including DaisySync, are explicitly not in scope of Google's BAA. A separate BAA between you and DaisySync is required.
02What's in the DaisySync BAA
The template preserves HHS's Model BAA language verbatim for the required clauses, then adds DaisySync-specific addenda describing:
Architecture. Explicit statement that the add-on runs inside Customer's Google Workspace tenancy and that no PHI traverses DaisySync-controlled systems.
Section 3 safeguards. The technical, administrative, and physical safeguards we maintain (which are minimal by design — we have no servers to safeguard).
Section 13.E warranty. Customer warrants they maintain a current Google Workspace BAA covering the underlying execution environment.
Breach notification. 45 CFR §164.410-compliant notification timelines. In practice, breaches at DaisySync's layer are near-impossible — but the obligation is documented regardless.
Term & termination. Aligned with your subscription term; includes return/destruction of any incidentally received PHI (again: we hold none).
03Who qualifies
We sign BAAs with organizations that meet all of the following:
You are a Covered Entity or a Business Associate under HIPAA.
You use Google Workspace Business Plus or higher and have an executed Google BAA in force.
You have an active DaisySync subscription (or have a signed order for one).
You have not previously had a signed BAA terminated by us for cause.
We cannot sign a BAA for free @gmail.com accounts — Google's BAA does not cover them, and no downstream BAA can backfill that gap.
04Cost
Executing a BAA with DaisySync costs nothing extra. It is included with your subscription at every paid tier.
05Process
Email legal@daisysync.com with your organization's legal name, your signatory's name and email, your HIPAA role (covered entity vs business associate), and your HIPAA notice address.
We send you the DaisySync BAA within one business day, with your details pre-filled.
Both parties sign via electronic signature (DocuSign or equivalent).
You receive a fully-executed PDF for your compliance records.
06Redlines & custom terms
We accept reasonable redlines. Our BAA is based on HHS's model, so most edits fall in a narrow, well-understood band. For enterprise engagements with bespoke requirements, we're also willing to review your template; attach it to your email and we'll respond within two business days.
Notice. This page describes the DaisySync BAA template in general terms. Terms in an executed BAA control over statements on this page in the event of any conflict.
