Documentation Index
Fetch the complete documentation index at: https://docs.spitshake.io/llms.txt
Use this file to discover all available pages before exploring further.
This BAA is available to Tenants on enterprise plans only. If your use case involves Protected Health Information (PHI), contact enterprise@spitshake.io to request a signed BAA before transmitting any PHI through the service. PHI upload without an active BAA is prohibited by our Acceptable Use Policy.
Parties
This Business Associate Agreement (“BAA”) supplements and is made part of the Terms of Service between the enterprise Tenant (the “Covered Entity”) and IVERIFI, LLC d/b/a SpitShake, a Connecticut limited liability company (the “Business Associate”). IVERIFI, LLC is wholly owned by ADS CORP.Definitions
Capitalized terms used but not defined have the meanings given in 45 CFR Parts 160 and 164. PHI means Protected Health Information. ePHI means electronic PHI. HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.1. Permitted uses and disclosures of PHI
Business Associate may use or disclose PHI only (a) as needed to perform the services described in the Terms of Service, (b) as required by law, or (c) for the proper management and administration of Business Associate, consistent with 45 CFR § 164.504(e)(4). Business Associate will not use or disclose PHI for any other purpose, and will not sell PHI.2. Safeguards
Business Associate will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). This includes encryption of ePHI at rest and in transit, access controls with multi-factor authentication for administrative access, and an immutable audit log of access to and modification of PHI.3. Reporting
Business Associate will notify Covered Entity of:- Any use or disclosure of PHI that is not permitted by this BAA or the HIPAA Rules, without unreasonable delay and in no case later than the notification period required by applicable law.
- Any security incident of which Business Associate becomes aware, as that term is defined in 45 CFR § 164.304. Successful incidents will be reported in accordance with the timing of paragraph (a) above; unsuccessful incidents (routine blocked probes, filtered traffic) will be reported only on Covered Entity’s request.
- Any breach of unsecured PHI as defined in 45 CFR § 164.402, consistent with 45 CFR § 164.410 — without unreasonable delay and in no case later than 60 calendar days after discovery.
4. Subcontractor flow-down
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and conditions at least as protective as those in this BAA, as required by 45 CFR § 164.502(e)(1)(ii). Business Associate’s current subprocessor list is published at /legal/subprocessors.5. Individual access
Within a reasonable period after Covered Entity’s request, Business Associate will make PHI it maintains in a Designated Record Set available to Covered Entity or, as directed by Covered Entity, to the individual, to enable Covered Entity to satisfy its obligations under 45 CFR § 164.524.6. Amendment
Within a reasonable period after Covered Entity’s request, Business Associate will make amendments to PHI in a Designated Record Set as directed by Covered Entity, consistent with 45 CFR § 164.526.7. Accounting of disclosures
Business Associate will document disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to a request for an accounting of disclosures under 45 CFR § 164.528. Upon request, Business Associate will provide that information to Covered Entity.8. HHS access
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.9. Return or destruction of PHI on termination
At termination of the Terms of Service, Business Associate will return or destroy all PHI received from, or created or received on behalf of, Covered Entity, and retain no copies, to the extent feasible. Where return or destruction is not feasible, the protections of this BAA will extend to that PHI and further use or disclosure will be limited to the purposes making return or destruction infeasible, consistent with 45 CFR § 164.504(e)(2)(ii)(J). The following situations are expressly identified as “not feasible” for these purposes: (a) the immutable, cryptographically chained audit-trail entries that underpin the legal defensibility of documents already executed, which are retained for seven (7) years; (b) data in encrypted backups that will be overwritten in the normal rotation schedule.10. Termination for cause
Covered Entity may terminate the Terms of Service and this BAA if Covered Entity determines that Business Associate has materially breached this BAA and has failed to cure the breach within a reasonable period after written notice. If termination is not feasible, Covered Entity may report the breach to the Secretary consistent with 45 CFR § 164.504(e)(1)(iii).Miscellaneous
- Interpretation. Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules.
- Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Covered Entity or Business Associate to comply with the requirements of the HIPAA Rules.
- Relationship to Terms of Service. In case of conflict between this BAA and the Terms of Service, this BAA controls with respect to PHI.
This BAA is provided by IVERIFI, LLC d/b/a SpitShake (a Connecticut limited liability company wholly owned by ADS CORP). Last updated: 2026-04-19.