The BAA is in every contract.

Under the HIPAA Privacy and Security Rules, a "Covered Entity" (most medical spas, depending on the services they offer and their payment posture) cannot share protected health information ("PHI") with a vendor unless that vendor has signed a Business Associate Agreement.

The BAA contractually obligates the vendor — Lumè — to handle PHI with the same care HIPAA requires of the Covered Entity, including specific technical safeguards, workforce training, breach notification timelines, and cooperation with the Covered Entity's compliance program. The required scope is set out in HIPAA §164.504(e).

Several competing platforms classify HIPAA-compliance as a premium feature. The BAA is gated behind a higher pricing tier or an annual contract commitment. We think that is the wrong model for a category of software where the only real customer is a medical practice.

Lumè runs on a single architecture. Every customer is on the HIPAA-compliant infrastructure because there isn't a second infrastructure. Charging extra for the BAA would mean charging extra for a feature every customer already has.

The BAA addresses each obligation a Business Associate owes under HIPAA. In plain terms:

• Permitted uses and disclosures. Lumè uses PHI only to provide the CRM service to the customer. We do not use PHI for marketing, advertising, AI training, or any purpose outside the service.
• Safeguards. Lumè implements administrative, physical, and technical safeguards required under the Security Rule. These include tenant isolation at the database layer, role-based permissions, append-only audit logging, encryption at rest with AWS KMS, and TLS in transit. See /security for the technical posture.
• Workforce. Every Lumè staff member with access to PHI signs a confidentiality agreement and completes HIPAA training. Access is provisioned least-privilege and audit-logged.
• Subcontractors. Lumè uses AWS, Twilio, and Resend as subprocessors, plus a licensed payment processor for card transactions inside the CRM. AWS, Twilio, and the payment processor operate under signed BAAs with Lumè where applicable. Resend is used only for marketing-site email and does not process PHI. The payment processor is PCI DSS Level 1 compliant. New subprocessors are disclosed in advance with a reasonable opportunity to object.
• Breach notification. Lumè will notify the customer of any breach of unsecured PHI without unreasonable delay, and no later than sixty days following discovery, consistent with HIPAA §164.410. The notification will include the information required under §164.404 to the extent then available.
• Access, amendment, accounting. Lumè will support the customer in fulfilling individual access, amendment, and accounting-of-disclosures requests as required by §164.524, §164.526, and §164.528.
• Return or destruction. On termination, Lumè will, at the customer's option, return or destroy all PHI within the timelines set out in the BAA. Backups containing residual copies are purged within thirty days thereafter.
• HHS audit cooperation. Lumè will make its internal practices, records, and policies available to the Department of Health and Human Services as required to determine the customer's compliance with HIPAA.

The BAA does not make Lumè the Covered Entity. The customer (the spa) remains the Covered Entity under HIPAA, with the underlying obligations to its patients — for notice of privacy practices, individual rights, and patient communications. Lumè supports the customer in meeting those obligations, but does not assume them.

The BAA also does not modify your separate obligations under state law. Several states (California, Massachusetts, New York, Texas) impose privacy and breach-notification rules that go beyond HIPAA. Where applicable state law is more protective, it applies.

We share the BAA template before contracting so that counsel for the customer can review it alongside the Master Service Agreement. To request a copy:

Email: legal@lumecrm.com, or request it during your demo and we will send it before the follow-up call.