HIPAA Compliance & BAA | FieldTask

Updated on 28 Jun 2026
FieldTask HIPAA Compliance — security and privacy for field teams handling PHI.

FieldTask offers an optional HIPAA add-on for customers who use FieldTask to handle Protected Health Information (PHI). When the add-on is active, FieldTask will enter into a Business Associate Agreement (BAA) with you and apply its HIPAA-specific controls to the covered sub-account(s). The add-on is billed at US$60 per month for each sub-account on which you install FieldTask from your HighLevel agency account. HIPAA support is not automatic — to enable it, contact support@fieldtask.io with the sub-account(s) you need covered. This article explains how to enable HIPAA support and manage your BAA.

Note: HIPAA support is a paid add-on, billed at US$60 per sub-account, per month, for each sub-account you install FieldTask on from your HighLevel agency account. FieldTask is not HIPAA-enabled by default, and HIPAA support is not self-service — to activate it, contact support@fieldtask.io and identify the sub-account(s) to be covered. HIPAA protection applies only once the add-on is enabled and a BAA has been signed for those sub-account(s). All FieldTask accounts are encrypted at rest and in transit regardless of HIPAA status; however, encryption alone is not HIPAA compliance. Processing PHI in FieldTask also requires the HIPAA add-on, a signed BAA, and a HIPAA-enabled HighLevel sub-account (HighLevel's own HIPAA add-on and BAA). You remain responsible for your own HIPAA compliance, including your workforce, policies, and use of the platform. The add-on supports your compliance program but does not by itself make your organization HIPAA compliant.

FieldTask is a field service management application built natively for HighLevel App Marketplace, used by service teams to manage scheduling, dispatching, work orders, time tracking, job photos, and invoicing. For healthcare-adjacent field operations — such as home health providers — FieldTask can be used to process Protected Health Information (PHI), and in that role FieldTask acts as a HIPAA Business Associate.

This article explains how HIPAA applies when FieldTask is used to handle PHI, what FieldTask provides, what you (the customer) remain responsible for, and how to put a Business Associate Agreement (BAA) in place.

Important — read first: FieldTask encrypts customer data at rest and in transit for every account by default, regardless of whether HIPAA is in scope. However, encryption alone is not "HIPAA compliance." HIPAA also requires a signed BAA, appropriate administrative controls, and correct configuration on both sides. A FieldTask account is not automatically a HIPAA-compliant environment — PHI should only be processed in FieldTask once a BAA is in place.

Critical dependency: FieldTask syncs data two ways with HighLevel. Because synced PHI also lives in HighLevel, FieldTask cannot provide a compliant end-to-end environment for a customer whose underlying HighLevel account is not HIPAA-enabled. See The HighLevel Dependency below.

What is HIPAA Compliance?

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is U.S. legislation that sets national standards for protecting individuals' medical information. It governs how organizations safeguard the privacy and security of health data and what must happen when that data is exposed.

When people refer to "HIPAA compliance" in the context of software and service vendors, they are usually referring to the requirements under HIPAA Title II.

What is HIPAA Title II?

Title II (the Administrative Simplification provisions) contains the rules most relevant to a platform like FieldTask:

  • HIPAA Privacy Rule — national standards protecting individually identifiable health information.
  • HIPAA Security Rule — administrative, physical, and technical safeguards for electronic PHI (ePHI).
  • HIPAA Breach Notification Rule — what must happen, and how quickly, when unsecured PHI is exposed.
  • HIPAA Enforcement Rule — how violations are investigated and penalized.

The rules that govern the relationship between a healthcare provider, FieldTask, and the underlying platform are primarily the Privacy Rule and the Security Rule, with the Breach Notification Rule applying if PHI is ever compromised.

How HIPAA Applies to FieldTask

HIPAA assigns roles:

  • The healthcare provider (for example, a home health agency) is the Covered Entity — they have the direct relationship with patients.
  • FieldTask (SpaceSoft Limited) is a Business Associate when it creates, receives, maintains, or transmits PHI on the provider's behalf.
  • The provider's other vendors that touch the same PHI — including HighLevel — are also Business Associates.

For PHI to be properly protected end to end, every party in this chain must have a BAA in place: the provider with FieldTask, the provider (or their agency) with HighLevel, and FieldTask with its own subprocessors. A single missing BAA breaks the chain for that data.

If you are not a healthcare provider and do not process PHI (for example, a typical HVAC, plumbing, or cleaning business), HIPAA generally does not apply to your use of FieldTask, and a BAA is not required.

The HighLevel Dependency

FieldTask is built natively for HighLevel App Marketplace and syncs contacts, appointments, jobs, estimates, and invoices in both directions. This means PHI entered in FieldTask can also reside in your HighLevel account, and vice versa.

HighLevel accounts are not HIPAA-compliant by default. To make the HighLevel side compliant, the agency must:

  1. Purchase HighLevel's HIPAA Compliance add-on,
  2. Sign HighLevel's BAA, and
  3. Manually enable HIPAA for each relevant sub-account in HighLevel's Advanced Settings.

Before processing PHI in FieldTask, confirm the connected HighLevel account has completed all three steps. FieldTask's safeguards cannot compensate for a HighLevel environment that is not HIPAA-enabled.

What FieldTask Provides

  • Encryption at rest and in transit for all accounts as a platform baseline. 
  • A Business Associate Agreement (BAA) available to customers who process PHI. 
  • Role-based access control so users only see the records appropriate to their role and assignments.
  • Unique user accounts for every team member (no shared logins), so activity is attributable to an individual.
  • Audit logging of authentication and PHI-access activity (who accessed or changed which record, and when). 
  • Multi-factor authentication (MFA) for account access. 
  • Mobile safeguards on the iOS and Android apps, including session controls and protection of locally stored data.

Security

Encryption at rest. FieldTask encrypts customer data before it is stored, using industry-standard AES-256 encryption. This applies to all accounts by default, independent of HIPAA status. Encryption and decryption are handled transparently for authorized users; no configuration is required.

Encryption in transit. All data exchanged between the mobile apps, the FieldTask API, the web interface, and the HighLevel sync is protected with TLS.

Access controls. Access to PHI is restricted on a least-privilege, minimum-necessary basis through role-based permissions and unique user identities.

Audit logging. FieldTask records authentication events and access to PHI records to support security review, breach investigation, and customer reporting obligations. 

Infrastructure. FieldTask is hosted on  AWS, using HIPAA-eligible services with the hosting provider. 

Subprocessors. FieldTask maintains BAAs with any subprocessor that may handle PHI (e.g., hosting, storage, messaging). A current subprocessor list is available on request. 

Shared Responsibility Model

HIPAA compliance is shared between FieldTask and the customer. Your organization is ultimately responsible for meeting all HIPAA requirements for your workforce and your patients' data.

FieldTask is responsible for:

  • Securing the FieldTask platform (encryption, access controls, audit logging, infrastructure).
  • Providing a BAA and maintaining BAAs with its subprocessors.
  • Notifying you of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.

You (the customer) are responsible for:

  • Enabling HIPAA on the connected HighLevel account (add-on + BAA + per-sub-account toggle).
  • Limiting the PHI you enter to the minimum necessary.
  • Managing your own users: provisioning, role assignment, training, and prompt deactivation at offboarding.
  • Configuring and using staff devices responsibly (passcodes, not sharing logins, reporting lost devices).
  • Your own HIPAA program: risk analysis, policies, sanctions, and workforce training.

Data That May Contain PHI in FieldTask

When used by a healthcare provider, the following FieldTask data can contain PHI and is treated accordingly: contact/patient names and addresses, job and work-order details, visit notes, job photos and clinical media, GPS/location and route history tied to a patient's home, timesheets associated with patient visits, and invoices. Treat any field that ties a patient identity to a service or location as PHI.

How to Request a Business Associate Agreement (BAA)

  1. Contact FieldTask at support@fieldtask.io and request a BAA, identifying the account(s) that will process PHI.
  2. Review and sign the FieldTask BAA. 
  3. Confirm the connected HighLevel account has its own HIPAA add-on purchased, BAA signed, and HIPAA enabled for the relevant sub-account(s).
  4. Begin processing PHI only after the above are complete.

Frequently Asked Questions

Is FieldTask HIPAA compliant by default?

No. Encryption at rest and in transit is on by default for all accounts, but processing PHI also requires a signed BAA [and confirmed HIPAA configuration], plus a HIPAA-enabled HighLevel account. HIPAA "compliance" is a shared responsibility, not an automatic account state.

Do I need a BAA?

You need a BAA if you are a Covered Entity (or another Business Associate) and PHI will pass through FieldTask. If you do not handle PHI, you do not need one.

Is my data encrypted even if I don't have a BAA?

Yes. FieldTask encrypts data at rest and in transit for every account regardless of HIPAA status.

Does FieldTask work for HIPAA if my HighLevel account isn't HIPAA-enabled?

No. Because data syncs into HighLevel, the connected HighLevel account must be HIPAA-enabled for the environment to be compliant end to end.

What happens if there's a data breach?

FieldTask will investigate, mitigate, and notify affected customers of a breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule.

Can FieldTask staff see my patients' data?

FieldTask is the software your team uses to manage its work; it does not use, interpret, or work with the contents of your patients' health information for any purpose other than providing the service to you. You decide what information is entered, and any PHI you choose to store is held and transmitted by the platform in encrypted form. FieldTask personnel do not access your account data in the normal course of business. Access occurs only when necessary — for example, when you request support and authorize it, or to address a specific technical or security issue. In those cases, access is limited to the minimum necessary, is logged, and is governed by confidentiality obligations.

Does FieldTask use my PHI for analytics or product improvement?

No. PHI is used only to provide the service as defined in the BAA. Any product analytics are kept separate and free of PHI. 

Contact

For HIPAA, BAA, or security questions, contact support@fieldtask.io.


What to read next

FieldTask and HighLevel Connection Explained

Explore how FieldTask connects with HighLevel. Learn about two-way syncing, automation, and how to turn HighLevel into a complete field service management solution.