Legal · Healthcare

HIPAA Business Associate Agreement

QuantaSeal is prepared to execute a Business Associate Agreement (BAA) with Covered Entities and Business Associates handling Protected Health Information (PHI). Complete the form below to initiate the process.

Why QuantaSeal for HIPAA-covered PHI

🔐

Harvest-now-decrypt-later threat

Health records have a 30–50 year relevance horizon. Classical encryption (RSA/ECDSA) will be broken by quantum computers within this window. QuantaSeal applies ML-KEM-768 - NIST FIPS 203 Level 3 - protecting PHI against future quantum adversaries today.

🏥

HIPAA Security Rule §164.312(a)(2)(iv)

Encryption and decryption of ePHI is an addressable specification. QuantaSeal's AES-256-GCM + ML-KEM-768 hybrid architecture directly satisfies this requirement and produces evidence-grade audit logs.

📋

Immutable audit chain

Every PHI access event is recorded in a SHA3-256 hash-chained audit log stored in S3 WORM. Each entry is ML-DSA-65 signed. HIPAA §164.312(b) audit control requirement: satisfied out of the box.

🏗️

Per-tenant key isolation

Each covered entity receives a dedicated AWS KMS Customer Master Key. PHI encrypted for Hospital A is cryptographically isolated from Hospital B - zero cross-tenant data access is architecturally impossible.

🔄

Access control §164.312(a)(1)

Role-based access control with viewer/editor/admin/owner roles. API key scoping limits access to specific vaults or operations. MFA and FIDO2 passkeys for all administrative access.

🚨

Breach notification readiness

QuantaSeal's incident response engine detects anomalous PHI access patterns in real time. Automated notifications to covered entity within 1 hour of suspected breach - HIPAA §164.404 compliant.

What the QuantaSeal BAA covers

Our BAA is consistent with 45 CFR §164.504(e) and covers:

Permitted uses and disclosures of PHI on behalf of the Covered Entity
Obligations to implement appropriate safeguards per the HIPAA Security Rule
Reporting of security incidents and breaches involving PHI within the timeframes required
Ensuring downstream business associates agree to equivalent restrictions
PHI availability, return, and destruction obligations at termination
Right to terminate for non-compliance with material BAA provisions

Download BAA template

Review our standard BAA template before engaging your legal team. The template follows 45 CFR §164.504(e) and covers all required provisions. The final executed agreement will be tailored to your organisation.

📄

QuantaSeal HIPAA BAA — Template v1.0

Plain-text · Last revised May 2026 · 45 CFR §164.504(e) compliant structure

Download template ↓

Request a signed BAA

After reviewing the template, send us the completed fields to initiate execution. Our healthcare compliance team responds within one business day.

Send your BAA request to hipaa@quantaseal.io with the following information:

Organisation name and type (Covered Entity / Business Associate)
EHR / EMR system in use (Epic, Cerner, etc.)
Contact name, email, and phone
Anticipated go-live or procurement timeline
Any specific BAA provisions required by your legal team

Request signed BAA via email →

Typical response time: 1 business day. BAA execution: 3–5 business days.

HIPAA Security Rule controls satisfied

Standard	Specification	Implementation	Status
164.312(a)(1)	Access Control	RBAC + MFA + FIDO2 passkeys	✅
164.312(a)(2)(iv)	Encryption & Decryption	ML-KEM-768 + AES-256-GCM	✅
164.312(b)	Audit Controls	SHA3-256 hash chain + ML-DSA-65 signed entries	✅
164.312(c)(1)	Integrity	ML-DSA-65 payload signatures on all PHI operations	✅
164.312(d)	Person Authentication	JWT + MFA + FIDO2 WebAuthn	✅
164.312(e)(1)	Transmission Security	TLS 1.3 + PQC payload signing	✅

ML-KEM

DSA-65

QUANTASEAL

ML-KEM-768AES-256-GCMML-DSA-65

Initializing Quantum Vault