LARCH

Legal

Business Associate Agreement

Effective April 16, 2026

Quick answer: Larch tracks clinician credentials, not patient charts, so most clinicians don’t need a BAA with us. If your employer or a covered entity you contract with asks for one anyway, we’ll sign one. The rest of this page explains why we take this posture and how to request a countersigned BAA.

What a BAA is, in one paragraph

HIPAA requires a Business Associate Agreement when a vendor handles protected health information on behalf of a covered entity. The BAA defines what the vendor can do with PHI, how it must be safeguarded, what happens in a breach, and what must be returned or destroyed when the relationship ends.

Why a BAA usually isn’t needed for Larch

Credential data — the things Larch tracks — are not PHI. License numbers, DEA registrations, board certifications, and CE/CME completions belong to the clinician, not the patient, and most of it is already on a public registry. So when an individual clinician signs up to track their own credentials, no BAA is required, and asking for one is a category error we’re happy to clarify with your compliance team.

The narrow exception: if a covered entity uses Larch to track credentials on behalf of clinicians it employs, and decides to treat any of that data as PHI under its own internal policy, a BAA is appropriate. We sign one in that case.

What we commit to under a signed BAA

We treat any data covered by the agreement with the same controls we apply to all credential records: row-level security at the database, signed short-lived URLs for every document download, encryption in transit and at rest, and audit logging on every read and write. We use the data only to deliver the service. We do not sell it, share it with advertising networks, or use it to train AI models. We do not disclose it except as required by law or permitted in writing by the covered entity.

Safeguards

Administrative, physical, and technical safeguards follow the HIPAA Security Rule. Concretely: role-scoped access with row-level security at the database layer, signed short-lived URLs for every document download, encryption in transit and at rest, least-privilege service accounts, audit logging on every access to compliance records, and mandatory multi-factor authentication for administrator accounts.

Subcontractors

We use Supabase (authentication, database, storage), Vercel (hosting), Sentry (error reporting), and Resend (transactional email). Some are bound by an executed BAA today; for the remainder, we will execute the appropriate BAA before any covered-entity workflow that could route PHI through that subprocessor goes live, and bind each through flow-down provisions. The current status of each subprocessor lives on our Security page; the always-current list of sub-processors is on our Privacy Policy.

Breach notification

If Larch discovers a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and in any case within sixty calendar days, consistent with 45 CFR 164.410. Our notice will include what we know about what happened, what data was involved, and what steps we are taking to contain and remediate the incident.

Return or destruction on termination

On termination of the agreement, Larch will return or destroy all PHI in our possession, at the covered entity’s choice. Where return or destruction is infeasible, we will continue to protect the information and limit further use or disclosure to the purposes that make return or destruction infeasible.

Requesting a countersigned BAA

Email legal@larchhealth.com with the subject “Request BAA” and include the legal name of your covered entity, the signatory’s title, and a one-line description of how the entity plans to use Larch. We return a countersigned agreement, typically within three business days. If you’d like us to sign your own BAA template instead of ours, send it along; legal-team review usually adds another two or three business days.

This page describes our posture at a high level and is not itself a BAA. The executed agreement between Larch and the covered entity controls.