Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.usehasp.com/llms.txt

Use this file to discover all available pages before exploring further.

A Business Associate Agreement (BAA) is a legal contract required by HIPAA before a covered entity or business associate may share Protected Health Information (PHI) with a service provider. The Hasp AI API processes requests that may contain PHI — to do so lawfully, your organization must have a signed BAA on file.

When BAA is required

Any inference request on the Hasp AI API may be gated by BAA status. The API checks your organization’s BAA status on every request. If PHI handling is enabled (which it is by default) and no signed BAA is on file, the request fails with: 
{
  "type": "error",
  "error": {
    "type": "permission_error",
    "message": "A signed Business Associate Agreement is required to access this feature.",
    "hasp_code": "BAA_REQUIRED",
    "hasp_details": {
      "baa_url": "https://api.usehasp.com/v1/compliance/baa"
    }
  }
}
The hasp_details.baa_url field links directly to the endpoint where you can retrieve the current BAA status for your organization.

Resolving BAA_REQUIRED

  1. Retrieve the current BAA via GET /v1/compliance/baa. This returns the current template version and signing instructions.
  2. Sign the BAA through the Hasp dashboard under Settings → Compliance → BAA. The BAA is electronically signed and tied to your organization.
  3. Retry your request. Once signed, the BAA_REQUIRED gate lifts immediately — no propagation delay.

Which tiers require a BAA

Every paid Hasp tier — Solo, Professional, Business, and Enterprise — includes BAA coverage. The BAA requirement is enforced uniformly: regardless of tier, you must have a signed BAA on file before the API will process requests that may contain PHI. Free evaluation accounts can make API requests, but they are not covered under a BAA. Do not send real PHI from a free evaluation account.

What the BAA covers

The Hasp BAA covers Hasp’s handling of PHI in the context of AI inference:
  • The PHI scan and redaction step (Microsoft Presidio sidecar, run by Hasp).
  • Encrypted storage of message content (if store is not set to false).
  • Transmission of messages to the upstream inference provider (Anthropic) under Anthropic’s own BAA with Hasp.
  • Audit log retention.
The BAA does not cover how you handle PHI in your own application before sending it to the API.

Checking BAA status programmatically

curl https://api.usehasp.com/v1/compliance/baa \
  -H "Authorization: Bearer wa_live_<key>"
The response includes baa_status (not_signed | signed | expired), current_version, and re_sign_deadline. Monitor the current_version field — when Hasp updates the BAA template, you may be required to re-sign.