How to Request and Sign a Business Associate Amendment (BAA) for HIPAA Compliance

If you need to sign a Business Associate Amendment (BAA) with BrainCert, follow the steps below to get started.

We make our Business Associate Amendment (BAA) available to all customers on a qualifying Enterprise Silver plan or higher. A generic BAA is available for review on our website at https://www.braincert.com/baa.

If you're eligible, and you need to sign the BAA online, please create a support ticket with BrainCert to request access to the online agreement for signature. Once your ticket is submitted, our team will provide the necessary steps to complete the signing process.

Please note that we do not sign customer-specific BAA agreements. Our BAA is designed to cover our relationship from a SaaS platform perspective, ensuring compliance with HIPAA. For legal reasons, we cannot make adjustments to our BAAs, as they accurately reflect the scope of the services we provide.

Once signed, your organization will have access to a fully compliant BAA with BrainCert, ensuring HIPAA compliance for our LMS platform, which includes courses, tests, virtual classrooms, gamification, and other features.

Security Information

Does BrainCert encourage the 'minimum necessary' rule for PHI?
Yes, BrainCert advises all customers to adhere to HIPAA's 'minimum necessary' standard when sharing PHI with BrainCert, ensuring that only the essential information required for processing is disclosed. This helps reduce the risk of unnecessary exposure of sensitive data while ensuring compliance with HIPAA guidelines.

How does BrainCert ensure proper use of workstations to support access and protection of ePHI?
BrainCert utilizes Amazon Web Services (AWS) infrastructure, with all production data hosted in a Virtual Private Cloud (VPC). Internal access is secured by firewalls, and employees must authenticate via VPN and multi-factor authentication (MFA) to access sensitive data.

Do you have a security policy to ensure the confidentiality, integrity, and availability of ePHI?
Yes, BrainCert follows strict security measures aligned with SOC 2 Type 2, ISO/IEC 27001:2013, and HIPAA compliance. For details on how data is protected in transit and at rest, please refer to our Security Page.

How does BrainCert secure its physical infrastructure?
BrainCert’s infrastructure is hosted on AWS, which provides robust physical security measures, including locked doors, surveillance, and intrusion detection. AWS has achieved SOC 1, 2, 3, ISO 27001, and PCI DSS Level 1 certifications, ensuring a high level of security compliance. For more information, refer to Amazon AWS Security Whitepaper.

What happens when an employee leaves BrainCert?
BrainCert has strict offboarding processes in place. Upon termination, all access to privileged accounts, including AWS cloud and other sensitive systems, is revoked immediately. Any permissions granted for specific job functions, including those involving access to sensitive or protected data, are disabled. Former employees are required to securely destroy any remaining local data.

How does BrainCert protect against malicious software and ensure security patches are applied?
We follow industry best practices, upgrading to stable software releases and applying security patches regularly. Security scans are performed frequently to identify vulnerabilities, and our internal IT policy ensures the safety of our environment.

Do you have policies for strong passwords?
Yes, we enforce strong password policies in compliance with NIST guidelines, ensuring password complexity, length, and secure management.

Does BrainCert conduct security audits or tests?
Yes, we conduct regular audits, including static and dynamic code analysis, vulnerability scans, and third-party penetration tests to ensure our platform remains secure. For further details on our compliance and certifications, visit our Security Page.