Security & trust2 min readUpdated May 23, 2026

HIPAA and the BAA — what's covered, who's eligible

A plain-English explanation of Salva's HIPAA posture, what the Business Associate Agreement covers, and how to request one.

Security & trust

HIPAA and the BAA — what's covered, who's eligible

A plain-English explanation of Salva's HIPAA posture, what the Business Associate Agreement covers, and how to request one.

Salva AI · Learn

What HIPAA means here

HIPAA governs how Protected Health Information (PHI) is collected, stored, and shared. Salva handles PHI any time a patient talks to it — names, phone numbers, symptoms, treatment context.

To stay compliant, two things have to be true:

  1. The technology is designed so PHI is encrypted, access-controlled, audited, and retained only as long as needed.
  2. The legal agreement between you (the covered entity) and us (your business associate) is in place — that's the BAA.

We do both.

What the BAA covers

A BAA is a written agreement that defines what we will and won't do with your patients' PHI. Ours covers:

  • Permitted uses (running the service you signed up for, nothing more)
  • Safeguards (encryption in transit and at rest, access controls, audit logs)
  • Breach notification obligations
  • Subcontractor pass-through (any third-party processors are bound by the same terms)
  • Return or destruction of PHI on termination

It's modeled on the HHS-recommended template, with edits specific to how Salva operates.

Who's eligible

PlanBAA available?
BasicNo — Basic is chat-only and not intended for PHI
ProYes
GrowthYes

If you need PHI coverage and you're on Basic, upgrade to Pro before requesting the BAA.

How to request one

Email support@getsalvaai.com with the subject "BAA request" and include:

  • Your practice name
  • The Salva account email
  • Your business legal entity (LLC, PC, etc.)
  • The signer's name and email

You'll get a docusign-ready document within two business days. Sign, return, and you're covered.

Subprocessors

Salva relies on a handful of well-known third-party vendors to operate (hosting, voice infrastructure, payments, AI providers). Each one is bound by a BAA or equivalent before any PHI ever flows to them. The full current list is on the BAA page and privacy policy.

What a BAA doesn't do

A BAA is a contractual layer. It doesn't override technical controls or remove your own HIPAA obligations as a covered entity. You still need to:

  • Train staff on PHI handling
  • Maintain your own access controls inside your practice
  • Conduct security risk assessments per HHS guidance

For Salva's technical security controls — encryption, RLS, audit logs — see How Salva protects your data.

Published May 23, 2026

Related guides

Security & trust

How Salva protects your data

Salva AI · Learn
Security & trust

How Salva protects your data

Encryption, row-level security, audit logging, signed webhooks, and U.S.-only data residency. The full security posture in plain English.

3 min readRead
Plans & billing

Plans compared — Basic, Pro, and Growth

Salva AI · Learn
Plans & billing

Plans compared — Basic, Pro, and Growth

Three plans, one trial. Here's exactly what's in each, who should pick what, and how to switch later without losing your setup.

3 min readRead
Chat widget

Restricting which websites can embed your widget

Salva AI · Learn
Chat widget

Restricting which websites can embed your widget

By default your chat widget runs on any site that loads your embed snippet. The domain allowlist locks it down to only your real website.

2 min readRead

Ready to put Salva on your phone line?

14-day free trial. No credit card needed today. Live on your line in 5 minutes.

Start free trial