Lily Sales Demo 
HIPAA
Business Associate Agreement
Lily executes a HIPAA-compliant Business Associate Agreement (BAA) with every covered entity that uses the platform. This page summarizes the agreement; the executed copy is what governs.
Who needs a BAA?
- Healthcare provider organizations using Lily to manage clinician rosters or member care
- Self-employed practitioners storing PHI (session notes, assessments) on Lily
- Covered employers using Lily as a benefits portal that touches PHI
What the BAA covers
- Permitted uses and disclosures of PHI by Lily as a Business Associate
- Safeguards we implement (encryption, access controls, audit logs)
- Breach notification obligations (within 60 days of discovery)
- Subcontractor flow-down for our cloud and email infrastructure
- Termination procedures and PHI return/destruction
How to execute a BAA
- Request the agreement at baa@asklily.health or via contact form.
- We send a counter-signed BAA tailored to your organization within two business days.
- Sign electronically. The BAA takes effect immediately on counter-signature.
- Your organization is enrolled in our HIPAA-eligible plan tier.
Standard terms
Our default BAA mirrors the HHS sample provisions and adds enterprise-friendly clauses around audit rights, sub-processor approval, and breach notification SLAs. We negotiate redlines on request.
Contact
baa@asklily.health — our HIPAA Privacy Officer responds within 48 hours.