HIPAA

Business Associate Agreement

Last updated: May 26, 2026 · Genko, Inc.

Overview

A Business Associate Agreement (BAA) is a legally required contract under the Health Insurance Portability and Accountability Act (HIPAA). It establishes the permitted and required uses and disclosures of Protected Health Information (PHI) by Genkō in its role as a Business Associate to your healthcare organization. HIPAA requires Covered Entities — healthcare providers, health plans, and healthcare clearinghouses — to execute a BAA with all Business Associates before sharing any PHI.

When a BAA Is Required

A signed BAA with Genkō is required before your organization inputs any PHI into the platform. PHI includes patient names, dates of service, contact information, health conditions, appointment details, and any other information that could identify an individual in connection with their healthcare. If you are using Genkō solely for internal staff scheduling without any patient health data, a BAA may not be required, but we recommend executing one as a best practice.

What Genkō's BAA Covers

Our standard BAA is consistent with HIPAA requirements under 45 CFR §164.504(e) and includes the following provisions:

Permitted Uses and Disclosures

Genkō may use and disclose PHI only as permitted by the BAA and as necessary to provide our services. We will not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity.

Safeguards

Genkō will implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized use or disclosure, including compliance with the HIPAA Security Rule for electronic PHI.

Subcontractors

Any subcontractors or agents that Genkō engages to assist with services involving PHI will be required to execute equivalent BAAs and are bound by the same privacy and security obligations.

Breach Notification

Genkō will report to your organization any use or disclosure of PHI not provided for by the BAA, including security incidents and breaches of unsecured PHI, without unreasonable delay and within 60 days of discovery.

Individual Rights

Genkō will make PHI available to Covered Entities as necessary to fulfill individual rights under HIPAA, including access, amendment, and accounting of disclosures requests.

Minimum Necessary

Genkō will make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose.

Term and Termination

The BAA remains in effect for as long as your organization uses Genkō. Either party may terminate the BAA if the other materially breaches its obligations and fails to cure the breach within 30 days of notice. Upon termination, Genkō will return or securely destroy all PHI.

Plan Requirements

A BAA is available to all paid Genkō plans. Free plan accounts may not input PHI until they upgrade to a paid plan and execute a BAA. If you are on the Group, Practice, or Enterprise plan, contact us to execute your BAA and unlock enhanced HIPAA compliance features including audit logs, compliance reporting, and dedicated data residency options.

How to Execute a BAA

To request and execute a Business Associate Agreement with Genkō, email legal@getgenko.com from your organization's email address with the subject line "BAA Request — [Your Organization Name]". Include your organization name, primary contact, state of operation, and your Genkō account email. Our team will send a DocuSign link within one business day. Alternatively, if you have a preferred BAA template, attach it to your email and we will review it promptly.

Verification of BAA Status

Once your BAA is fully executed, Genkō will mark your organization account as BAA-covered in our compliance dashboard. You can view your BAA status in Settings → Compliance. If you believe your BAA is in place but your account does not reflect this, contact support@getgenko.com.

Data Processing and Subprocessors

A current list of Genkō's HIPAA-covered subprocessors — including cloud infrastructure, database, and communications providers — is maintained at getgenko.com/integrations. All subprocessors have executed BAAs with Genkō and meet HIPAA security requirements. We will notify you at least 30 days in advance of any material changes to our subprocessor list.

Request a BAA

Email legal@getgenko.com with the subject line “BAA Request — [Your Organization Name]”. Our team will respond within one business day.

Genko, Inc.

131 Continental Dr, Suite 305

Newark, DE 19713 US