Self-hosted
Feature capabilities
Marketplace
Plan and pricing
Download for Mac
Download for Android
Last updated: March 30, 2026
This Business Associate Agreement ("BAA") is entered into by and between Plane Software, Inc., a Delaware corporation ("Plane" or "Business Associate"), and the entity identified as the customer under the Terms of Service ("Customer" or "Covered Entity"), and supplements the Terms of Service ("Terms") and the Data Processing Addendum ("DPA").
This BAA governs Plane's obligations with respect to Protected Health Information ("PHI") that Customer submits to or processes through the Service in connection with Customer's obligations under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively, "HIPAA").
Capitalized terms not defined in this BAA have the meanings given in the Terms or, where applicable, in HIPAA and its implementing regulations (45 C.F.R. Parts 160 and 164).
This BAA forms part of and is incorporated into the Terms. This BAA becomes effective upon Customer's acceptance of the Terms, execution of an order form or other written agreement incorporating this BAA, or upon Customer's submission of Protected Health Information to the Service, whichever occurs first. Customer must not submit Protected Health Information to the Service unless this BAA is in effect.
"Breach" has the meaning given in 45 C.F.R. § 164.402.
"Designated Record Set" has the meaning given in 45 C.F.R. § 164.501.
"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by, or maintained in, electronic media, as defined in 45 C.F.R. § 160.103.
"Individual" means the person who is the subject of the PHI, and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
"Protected Health Information" or "PHI" has the meaning given in 45 C.F.R. § 160.103, and for purposes of this BAA refers to PHI that Plane creates, receives, maintains, or transmits on behalf of Customer in connection with the Service.
"Required by Law" has the meaning given in 45 C.F.R. § 164.103.
"Security Incident" has the meaning given in 45 C.F.R. § 164.304.
"Subcontractor" means a person or entity to whom Plane delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
This BAA applies to PHI that Customer submits to or processes through the cloud-hosted Service ("Plane Cloud"). This BAA applies only to the extent that Customer is a Covered Entity or Business Associate under HIPAA and Plane creates, receives, maintains, or transmits PHI on behalf of Customer.
Cloud-hosted (Plane Cloud). This BAA governs Plane's handling of PHI on Plane Cloud. Customer must use Plane Cloud in accordance with this BAA, the Terms, and Plane's HIPAA compliance guidance.
Self-hosted and air-gapped. For self-hosted and air-gapped deployments, PHI is stored and processed entirely on Customer's infrastructure. Plane does not create, receive, maintain, or transmit PHI in connection with those deployments (except to the limited extent described in Section 2.3). This BAA applies to those deployments only to the extent Plane receives PHI through support interactions or other channels outside the self-hosted environment.
If Customer shares PHI with Plane through support channels (such as support tickets, email, or chat), that PHI is covered by this BAA. Customer should minimize the PHI shared during support interactions and avoid including PHI unless necessary for the support request.
Plane will use and disclose PHI only as permitted by this BAA or as Required by Law. Specifically, Plane may use or disclose PHI to perform its obligations under the Terms, including providing, maintaining, and supporting the Service, and as otherwise permitted under the Terms for Customer Data. Plane will not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as expressly permitted in this Section 3.
Plane will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). These safeguards are consistent with Plane's security practices described at plane.so/security and the technical and organizational measures described in Annex II of the DPA.
Plane will limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and the minimum necessary standard, to the extent applicable to Business Associates.
Plane will report to Customer without unreasonable delay, and in any event within the timeframes specified in Section 5, any use or disclosure of PHI not permitted by this BAA of which Plane becomes aware, any Security Incident of which Plane becomes aware, and any Breach of Unsecured PHI of which Plane becomes aware.
Plane will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Plane agrees in writing to the same restrictions, conditions, and requirements that apply to Plane under this BAA. A current list of Plane's sub-processors (which includes any Subcontractors that may process PHI) is maintained at plane.so/legals/sub-processors.
To the extent Plane maintains PHI in a Designated Record Set, Plane will make such PHI available to Customer within thirty (30) days of a written request, in a manner consistent with 45 C.F.R. § 164.524, to enable Customer to fulfill its obligations to provide Individuals with access to their PHI.
To the extent Plane maintains PHI in a Designated Record Set, Plane will make such PHI available to Customer for amendment within thirty (30) days of a written request, in a manner consistent with 45 C.F.R. § 164.526, to enable Customer to fulfill its obligations to amend PHI.
Plane will make available to Customer, within thirty (30) days of a written request, information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. Plane will maintain records of disclosures of PHI for at least six (6) years from the date of the disclosure.
Plane will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining Customer's and Plane's compliance with HIPAA.
Plane will not receive remuneration, directly or indirectly, in exchange for PHI, except as permitted by 45 C.F.R. § 164.502(a)(5)(ii).
Plane will not use or disclose PHI for marketing or fundraising purposes.
Customer represents and warrants that it has obtained all necessary permissions, consents, and authorizations required under HIPAA and applicable law to disclose PHI to Plane and to permit Plane to use and disclose PHI as contemplated by this BAA.
Customer will limit the PHI submitted to the Service to the minimum necessary for Customer's use of the Service.
Customer will promptly notify Plane of any restrictions on the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restrictions affect Plane's obligations under this BAA. Customer will also promptly notify Plane of any changes in, or revocation of, Individual authorizations, to the extent such changes affect Plane's obligations.
Customer is responsible for using the Service in a HIPAA-compliant manner, including maintaining its own HIPAA compliance program, implementing appropriate access controls and user management within the Service, and training Authorized Users on proper handling of PHI within the platform.
Plane will be deemed to have discovered a Breach on the first day on which the Breach is known to Plane, or by exercising reasonable diligence would have been known to Plane.
Plane will notify Customer of a Breach without unreasonable delay, and in no event later than thirty (30) calendar days after discovery.
The notification will include, to the extent known: (a) the nature of the Breach, including the types of PHI involved; (b) the identity of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (c) a description of what Plane has done and will do to investigate, mitigate, and prevent future Breaches; (d) any other information Customer reasonably requires to fulfill its notification obligations under 45 C.F.R. §§ 164.404 through 164.408.
Plane will cooperate with Customer in investigating, mitigating, and remediating the Breach, and in Customer's fulfillment of its notification obligations under HIPAA.
Customer is responsible for providing notifications to affected Individuals, HHS, and the media, as required by the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D).
This BAA is effective upon execution by both parties and continues for the duration of the Terms, unless terminated earlier in accordance with this Section 6.
Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice. If cure is not feasible, the non-breaching party may terminate immediately upon written notice.
Upon termination of this BAA or the Terms (whichever occurs first): (a) Plane will return or destroy all PHI in its possession, including PHI held by Subcontractors, in accordance with Section 9.5(b) of the Terms (thirty (30) day export window, followed by deletion); (b) if return or destruction is not feasible (for example, because PHI is embedded in backup systems that cannot be selectively purged), Plane will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible; and (c) Plane will certify in writing, upon Customer's request, that PHI has been returned or destroyed, or describe the circumstances making return or destruction infeasible.
The obligations of Plane under Section 6.3 will survive termination of this BAA and the Terms for as long as Plane retains any PHI.
The parties agree to amend this BAA as necessary to comply with changes to HIPAA or its implementing regulations. If a material change is required, the parties will negotiate in good faith to agree on amended terms within sixty (60) days.
This BAA will be interpreted consistently with HIPAA and its implementing regulations. Any ambiguity in this BAA will be resolved in favor of an interpretation that permits the parties to comply with HIPAA.
In the event of a conflict between this BAA and the Terms (including the DPA), this BAA will prevail with respect to the use and disclosure of PHI. For all other data, the Terms and the Data Processing Addendum will continue to apply.
Nothing in this BAA confers any rights on any third party, including Individuals whose PHI is processed under this BAA.
This BAA is governed by the laws of the State of Delaware, except to the extent preempted by HIPAA. Any dispute, controversy, or claim arising out of or relating to the Terms ("Dispute") that cannot be resolved through good-faith negotiation within thirty (30) days of written notice will be resolved through final and binding arbitration administered by the International Chamber of Commerce ("ICC") under its then-current rules. Arbitration will be conducted by a sole arbitrator, seated in Delaware, U.S.A., conducted in English, and governed by Delaware law. The arbitrator's decision will be final and binding and enforceable in any court of competent jurisdiction.
Each party's liability arising out of or related to this BAA is subject to the limitations of liability set forth in Section 11 of the Terms, except to the extent such limitations are prohibited by applicable law (including HIPAA).
Neither party will be liable for failure or delay in performance due to causes beyond its reasonable control, including natural disasters, war, terrorism, pandemics, government actions, denial-of-service attacks, or third-party infrastructure failures. The affected party must provide prompt written notice and take reasonable steps to mitigate the impact. If the event continues for more than thirty (30) business days, either party may terminate the Terms upon written notice.
For questions about this BAA or HIPAA compliance, contact:
Plane Software, Inc.
Email: legal@plane.so