Documentation Index
Fetch the complete documentation index at: https://docs.spitshake.io/llms.txt
Use this file to discover all available pages before exploring further.
HIPAA Business Associate Agreement (BAA)
If your organization is a HIPAA-covered entity or business associate that processes Protected Health Information (PHI), you must accept DocuTrust’s Business Associate Agreement before using the platform to handle PHI. The BAA establishes the responsibilities of both parties for safeguarding PHI.
When Is a BAA Required?
A BAA is required when you use DocuTrust to:
- Collect signatures on documents containing patient health information
- Store documents that include diagnoses, treatment plans, or medical records
- Process forms that contain health insurance information
- Send documents to patients or healthcare providers that reference PHI
If your documents do not contain PHI, a BAA is not required but can still be accepted as a precautionary measure.
Check BAA Status
Query whether a BAA has been accepted for the current account.
curl -X GET https://your-app.com/api/baa/status \
-H "X-Auth-Token: YOUR_API_TOKEN"
200 OK (BAA accepted)
{
"accepted": true,
"version": "2026-01",
"accepted_at": "2026-04-01T10:00:00Z",
"accepted_by": "admin@company.com"
}
200 OK (BAA not accepted)
{
"accepted": false,
"version": null,
"accepted_at": null,
"accepted_by": null
}
| Field | Type | Description |
|---|
accepted | boolean | Whether a BAA is currently in effect for this account. |
version | string or null | The version identifier of the accepted BAA (e.g., "2026-01"). Null if no BAA is accepted. |
accepted_at | string or null | ISO 8601 timestamp of when the BAA was accepted. Null if no BAA is accepted. |
accepted_by | string or null | Email address of the administrator who accepted the BAA. Null if no BAA is accepted. |
Accept the BAA
Accept the current version of the Business Associate Agreement. Only account administrators can accept the BAA.
curl -X POST https://your-app.com/api/baa/accept \
-H "X-Auth-Token: YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"version": "2026-01",
"acknowledged": true
}'
| Field | Type | Required | Description |
|---|
version | string | Yes | The BAA version to accept. Must match the current version available from DocuTrust. |
acknowledged | boolean | Yes | Must be true to confirm the administrator has read and agrees to the BAA terms. |
200 OK
{
"accepted": true,
"version": "2026-01",
"accepted_at": "2026-04-08T14:30:00Z",
"accepted_by": "admin@company.com"
}
Accepting a new BAA version automatically supersedes any previously accepted version. Only one BAA version can be active at a time.
Revoke the BAA
Revoke the currently accepted BAA. This should only be done if your organization no longer processes PHI through DocuTrust.
curl -X DELETE https://your-app.com/api/baa \
-H "X-Auth-Token: YOUR_API_TOKEN"
200 OK
{
"accepted": false,
"version": null,
"accepted_at": null,
"accepted_by": null
}
Revoking the BAA does not delete any existing documents or data. However, your organization assumes full responsibility for PHI compliance once the BAA is no longer in effect.
What the BAA Covers
DocuTrust’s BAA establishes obligations for:
| Obligation | Description |
|---|
| Data encryption | All PHI is encrypted at rest (AES-256-GCM) and in transit (TLS 1.2+). |
| Access controls | Role-based access, MFA enforcement, session timeouts, and account lockout. |
| Audit trails | Immutable, chain-hashed audit logs with 7-year retention for all PHI access. |
| Breach notification | DocuTrust will notify the covered entity within 24 hours of discovering a breach. |
| Data disposal | PHI is securely deleted upon account termination or at the covered entity’s request. |
| Subcontractor obligations | Any subcontractors with PHI access are bound by equivalent terms. |
Error Responses
| Status | Error | Description |
|---|
400 Bad Request | "Version mismatch" | The version in the request does not match the current BAA version. |
400 Bad Request | "Acknowledgment required" | The acknowledged field was not set to true. |
403 Forbidden | "Admin access required" | Only account administrators can accept or revoke the BAA. |
404 Not Found | "No active BAA" | Attempted to revoke the BAA when none is currently accepted. |
