Business Associate Agreement
How Marpass, Inc., a Delaware corporation, protects residents' health information under HIPAA across residential care facilities of every size.
Last updated: July 2026
What is a BAA and why does it matter?
A Business Associate Agreement is a legally binding contract required by HIPAA whenever a covered entity (your residential care facility) shares protected health information with a third party (Marpass). It defines how we handle, protect, and are accountable for your residents' health data.
As a residential care operator, your facility is a covered entity under HIPAA. When you use Marpass to manage medication records, care plans, and other health information, Marpass becomes your business associate. The BAA ensures that we are legally obligated to protect that information with the same rigor that you are.
Without a BAA in place, using any software platform to store resident health data could put your license and your residents' privacy at risk. State surveyors and inspectors may ask to see your BAA during licensing inspections and surveys.
Why residential care operators need a BAA
Key points of Marpass's BAA
Here is what our Business Associate Agreement guarantees for residential care facilities of every size.
Data Encryption
All protected health information is encrypted at rest using AES-256 and in transit using TLS 1.2+. Your resident data is never stored in plaintext. Marpass is built on SOC 2 Type II-audited infrastructure (AWS, Vercel).
Access Controls
Role-based permissions ensure that staff members only access the information they need. Every access is logged in an immutable audit trail.
Breach Notification
In the unlikely event of a Breach of Unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than 5 business days after discovery and provide a complete incident report. Notifications are made in accordance with HIPAA (45 CFR 164.410) and applicable state breach-notification laws, including Florida's Information Protection Act (Fla. Stat. 501.171) and Washington's breach-notification statute (RCW 19.255). The strictest applicable timeline governs.
Audit Rights
You have the right to audit our data handling practices. We provide audit summaries and will cooperate with reasonable audit requests related to PHI.
Data Return & Deletion
When your agreement ends, we will return Your Content in a standard format and return or delete our copies of PHI within 60 days, EXCEPT where longer retention is required by law or to meet your facility's state record-retention obligations. Certification of destruction is provided for data actually destroyed.
Subcontractor Obligations
Any subcontractor who handles PHI on our behalf is bound by equivalent obligations through a written agreement, including a downstream BAA where required. A current list of subprocessors is maintained at /subprocessors and customers are notified of changes.
How to get your BAA
We provide a Business Associate Agreement to every customer that handles PHI through Marpass. Contact our team to request and execute the BAA as part of your onboarding. The signed BAA is provided to you as a PDF for your records and for production during state surveys or licensing inspections.
If your facility requires a custom BAA or specific clauses (for example, a negotiated breach super-cap or specific data-residency commitments for an enterprise portfolio), reach out and we will work through them with you.

Have questions about HIPAA compliance?
Our team is here to help you understand how Marpass protects your residents' data.