This page summarizes our HIPAA Business Associate Agreement (BAA). The full BAA is presented for signature during account onboarding — every paid plan includes BAA execution at no extra cost. To request a copy for legal review before signing up, email [email protected].
1. Introduction
LuzardoFax (the "Business Associate") provides secure online fax services to healthcare providers and other Covered Entities (the "Covered Entity"). This Business Associate Agreement ("BAA") establishes the permitted uses and disclosures of Protected Health Information ("PHI") by the Business Associate in the course of providing the service.
2. Definitions
- PHI: Protected Health Information as defined by HIPAA.
- ePHI: Electronic Protected Health Information.
- HIPAA: Health Insurance Portability and Accountability Act of 1996.
- HITECH: Health Information Technology for Economic and Clinical Health Act.
3. Obligations of Business Associate
LuzardoFax agrees to:
- Not use or disclose PHI other than as permitted by this Agreement or as required by law
- Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
- Report any unauthorized use or disclosure of PHI within the required HIPAA timeframes
- Ensure that any subcontractors with access to PHI agree to the same restrictions
- Make PHI available for access by individuals as required by HIPAA
- Make PHI available for amendment as required by HIPAA
- Provide an accounting of disclosures as required by HIPAA
- Make internal practices and records available to HHS for compliance verification
4. Security Measures
Administrative Safeguards
- Designated security officer responsible for HIPAA compliance program
- Workforce security training prior to PHI access
- Documented access management procedures
- Security incident response procedures with defined escalation
Physical Safeguards
- Hosted in secure SOC 2 Type II / ISO 27001 audited data center facilities (Vultr, Miami FL)
- Physical access controls to data center facilities (provider-managed)
- Workstation security policies for all personnel with PHI access
Technical Safeguards
- 256-bit AES encryption for data at rest
- TLS 1.3 encryption for data in transit (web app + fax transmission)
- Unique user identification with bcrypt-hashed passwords
- Automatic session timeout and JWT token expiration
- Comprehensive audit logging of all PHI access and account events
- BAA signatures anchored to the Bitcoin blockchain via OpenTimestamps — independently verifiable proof of when each agreement was signed
- Encrypted daily backups with separate keys from production
- Documented data backup and recovery procedures
5. Permitted Uses and Disclosures
The Business Associate may use or disclose PHI only to:
- Perform the fax transmission, storage, and account management services described under the LuzardoFax Terms of Service
- Conduct proper management and administration of the Business Associate (e.g., maintenance, security investigations)
- Comply with applicable law (subpoena, court order, regulatory request)
6. Fax Storage & Retention Policy
LuzardoFax retains fax content and audit logs for 7 years from the original transmission date, matching standard HIPAA documentation retention obligations.
- Fax PDFs are encrypted at rest using AES-256 throughout the retention period
- All access to faxes is logged with timestamp, user, IP address, and user agent
- Customers can download or delete individual faxes at any time within the retention window (subject to applicable record-keeping obligations)
- On account cancellation, data is retained read-only for 30 days, then archived per HIPAA, and deleted at the end of the 7-year window
7. Breach Notification
In the event of a breach of unsecured PHI, Business Associate will:
- Notify the Covered Entity without unreasonable delay and within 60 days of discovery as required by HIPAA
- Provide available details of the breach including individuals affected and the nature of the data exposed
- Cooperate with the Covered Entity's investigation
- Mitigate the harmful effects of the breach to the extent practicable
- Document the incident, root cause, and corrective actions taken
8. Term and Termination
This Agreement is effective upon execution and continues until:
- Termination of the LuzardoFax service subscription, or
- Termination for cause due to material breach by either party
Upon termination, the Business Associate will return or destroy all PHI in accordance with HIPAA requirements and the customer's documented preference, where feasible. Where return or destruction is not feasible, protections continue under this Agreement.
9. Subcontractors
LuzardoFax uses the following subcontractors that may have access to PHI. Each has signed a Business Associate Agreement with LuzardoFax (where required) and maintains its own audited security controls:
- Vultr — Cloud infrastructure hosting (SOC 2 Type II, ISO 27001/27017/27018). BAA execution in progress.
- Telnyx — Fax transport between PSTN and digital infrastructure. BAA execution in progress.
- SendGrid — Transactional email delivery for account and fax notifications. BAA execution in progress.
- Cloudflare — CDN and DDoS protection. PHI is never cached at edge nodes; no BAA required for our configuration.
10. Request a BAA
The BAA is presented for signature automatically during account onboarding — every paid plan includes BAA execution at no extra cost, with IP and timestamp capture for legal audit trail.
To request a copy of the BAA for legal review before signing up, or for enterprise contracts requiring customized terms:
- Email: [email protected]
- Subject: BAA Request — [Your Practice Name]
We typically process BAA preview requests within 1 business day.