0. This is a template — not a signed agreement
This page publishes the standard BAA template Go Live Command offers to HIPAA-regulated customers. It is informational and does not, by itself, create a contract. To establish a signed BAA for your organization, contact privacy@golivecommand.com — we will counter-sign and return an executed copy.
Customers should have their own legal counsel review this template before signing. Go Live Command does not provide legal advice.
1. Purpose and PHI boundary
Go Live Command is an operational command platform for healthcare go-lives, support, and routing. It is designed to process operational data (role, unit, request category, location/callback point, device identifier, audit metadata) and is explicitly NOT designed as a clinical or PHI system. Customer agrees not to transmit Protected Health Information (PHI) into the platform except as permitted by the workflows and field labels the platform exposes.
This BAA template applies to every surface where Go Live Command is used in a HIPAA context. Industry Operations Boards (including Pharmacy and Restaurant boards), Group Chat, the Workforce Lifecycle Suite (time clock, timesheets, expenses, open shifts, recognition, surveys, credentials), and the Training Center all inherit the same no-PHI-by-design boundary and the same safeguards described in this BAA and on the Security & Compliance page.
Where operational free-text fields could incidentally receive PHI, the platform applies PHI-detection guardrails on submission, redacts where possible, and audits the event. Customer remains responsible for training their workforce on acceptable use.
2. Definitions
“PHI”, “Business Associate”, “Covered Entity”, “Required by Law”, “Security Incident”, “Breach” and other capitalized terms have the meanings given in 45 C.F.R. Parts 160 and 164 (the “HIPAA Rules”).
“Operational Data” means the no-PHI launch/support context Go Live Command processes on Customer’s behalf.
3. Permitted uses and disclosures
Go Live Command, acting as Business Associate, may use or disclose PHI it receives from or on behalf of Customer only as Required by Law or as necessary to perform the services described in the Order Form / Subscription Terms, including: routing operational requests, audit logging, providing administrative tooling, and supporting Customer's incident response.
Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by the Covered Entity directly, except to the extent permitted by 45 C.F.R. § 164.504(e)(4) for the proper management and administration of Business Associate or to provide Data Aggregation services as defined at 45 C.F.R. § 164.501.
4. Safeguards
Business Associate will implement administrative, physical, and technical safeguards consistent with 45 C.F.R. § 164.308, § 164.310, and § 164.312, including: TLS 1.2+ in transit, encrypted-at-rest secrets, role-based access control, MFA for administrators, signed sessions, CSRF protection, security headers, write-once audit archive (S3 Object Lock COMPLIANCE mode, 7-year retention), production readiness gates, no-PHI guardrails, and incident response procedures. Details are published on the Security & Compliance page.
5. Subcontractors
Business Associate will enter into a written agreement with any Subcontractor (sub-processor) that creates, receives, maintains, or transmits PHI on Business Associate's behalf, requiring substantially the same restrictions and conditions that apply to Business Associate under this BAA.
The current list of HIPAA-eligible sub-processors is available to authenticated Customers under NDA via privacy@golivecommand.com and is mirrored in the Customer's admin dashboard.
6. Reporting of security incidents and breaches
Business Associate will report to Customer, without unreasonable delay and in any event within 5 business days of becoming aware: (a) any use or disclosure of PHI not permitted by this BAA; (b) any Security Incident of which it becomes aware; and (c) any Breach of Unsecured PHI as defined in 45 C.F.R. § 164.402, with the information required by 45 C.F.R. § 164.410.
Unsuccessful Security Incidents (e.g., pings, port scans, denied access attempts) that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI are reported to Customer in aggregate form in the standard security report; individual notification is not required.
7. Access, amendment, and accounting
To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will provide Customer with the tooling necessary to enable Customer to meet its obligations under 45 C.F.R. § 164.524 (access), § 164.526 (amendment), and § 164.528 (accounting of disclosures). For requests requiring Processor assistance, Customer should contact privacy@golivecommand.com.
8. Availability to the Secretary
Business Associate will make its internal practices, books, and records relating to its use and disclosure of PHI received from Customer available to the Secretary of Health and Human Services for purposes of determining Customer's compliance with the HIPAA Rules, subject to applicable attorney-client and other legal privileges.
9. Termination
On termination of the underlying Subscription, Business Associate will return or destroy all PHI received from Customer, if feasible. Where return or destruction is not feasible (e.g., write-once audit archive under regulatory retention), Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
10. Conflicts and governing terms
Where this BAA conflicts with the Terms of Agreement, the BAA controls for matters of PHI protection. Where this BAA conflicts with a Customer-specific Master Services Agreement, the Customer-specific MSA controls.
11. Contact and execution
To execute this BAA, send a signed copy to privacy@golivecommand.com. We will counter-sign and return an executed PDF and store it with the Customer's account record.