What Is a BAA and When Is It Required?
Under HIPAA (45 CFR 164.308(b) and 164.314(a)), a Business Associate Agreement is a written contract between a covered entity — your clinic — and any person or organization that performs functions or activities involving the use or disclosure of Protected Health Information on your behalf. The HITECH Act of 2009 extended direct HIPAA liability to business associates themselves, meaning the vendor is now independently liable for its own violations, not just contractually liable to you. For the complete regulatory context governing these requirements, see the definitive HIPAA guide for specialty medicine telehealth.
The trigger is simple: if a vendor creates, receives, maintains, or transmits PHI in order to perform a service for your clinic, a BAA is legally required before any data flows to that vendor. The vendor does not need to actively read or process the PHI — even storing an encrypted backup that contains PHI qualifies. Even incidental, temporary exposure counts.
Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity or business associate. It includes the 18 HIPAA identifiers — name, address, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, account numbers, certificate numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any unique identifying number or code — when linked to health or payment information. For telehealth clinics, PHI permeates every system: intake forms, appointment records, consultation notes, prescription data, lab results, and billing records.
Vendors that are not business associates and therefore do not require BAAs include: couriers that transport sealed, unopened PHI containers without the ability to open them; janitorial services that clean your office; and utilities that provide infrastructure with no logical access to your systems. General contractors, lawyers, and accountants who do not access PHI also fall outside the BAA requirement. In practice, every software vendor your telehealth clinic uses almost certainly needs a BAA.
A BAA is not a substitute for your own security practices. It is a legal obligation that allocates responsibility and provides contractual rights — including breach notification timelines, audit rights, and termination triggers. Without a signed BAA, you are solely liable for whatever happens at that vendor's infrastructure, even if you had no visibility into the vendor's security posture.
The 10+ Vendor Categories That Require BAAs
1. EHR and Practice Management Systems
Your Electronic Health Record system is the most obvious BAA requirement. EHR vendors receive and store the most comprehensive PHI in your stack: demographics, diagnoses, medication lists, progress notes, lab results, and prescription history. Every major EHR vendor in the market offers a BAA. If yours does not — or has not presented one for signature — that is a disqualifying compliance failure.
Practice management systems that handle scheduling, billing codes, and insurance claims are equally covered. Even if the practice management system is separate from the EHR, if it holds appointment records linking patient identities to clinical services, it is handling PHI and requires a BAA.
2. Cloud Hosting and Infrastructure Providers
AWS, Google Cloud, and Microsoft Azure all offer HIPAA-eligible services and signed BAAs. The BAA does not mean every service on the platform is HIPAA-compliant — it means the cloud provider agrees to the BAA terms for services you have enabled within their HIPAA-eligible product catalog. You must activate the BAA (it is typically done through the console or by contacting the provider's compliance team) and restrict your PHI data to HIPAA-eligible services only.
Managed database providers, CDNs, and even serverless function platforms that execute code against PHI data all fall under this requirement if your infrastructure uses them to process patient information. Your cloud hosting BAA is foundational — every other service that runs on top of that infrastructure inherits its compliance posture.
3. Payment Processors
Pure payment processing — a credit card transaction with no clinical context — is governed by PCI-DSS, not HIPAA, and does not require a BAA. However, most telehealth clinic payment integrations are not pure. If a transaction record includes a patient name alongside a product code, subscription plan, or service description that reveals a diagnosis or treatment category, PHI is present. Subscription billing platforms that store a patient's recurring plan details alongside demographic identifiers are almost always handling PHI.
Stripe, Braintree, and most major processors offer BAAs for healthcare customers. Activate the BAA if there is any ambiguity about whether PHI passes through the integration. The cost of executing an unnecessary BAA is zero. The cost of not having one when PHI was present is measured in fines and reputational damage.
4. Email Service Providers
Any email platform used to send appointment confirmations, lab result notifications, prescription status updates, intake forms, or any message that links a patient's identity to their health information requires a BAA. This includes transactional email providers (SendGrid, Mailgun, Postmark, AWS SES) and marketing email platforms (Mailchimp, HubSpot, Klaviyo).
The distinction between transactional and marketing email does not change the BAA requirement. If a "marketing" email to a patient references their treatment program, protocol, or medication — even obliquely — PHI is involved. Many specialty medicine clinics violate HIPAA here by using consumer-grade email marketing platforms that do not offer BAAs for sending retention campaigns to patients who are enrolled in hormone or peptide protocols.
5. SMS and Messaging Platforms
SMS platforms used for appointment reminders, prescription pickup alerts, lab result notifications, or any two-way clinical messaging require BAAs. Twilio, Bandwidth, and similar programmable messaging platforms offer HIPAA-eligible tiers with BAAs. Standard Twilio messaging is not automatically HIPAA-eligible — you must opt into Twilio's HIPAA-eligible services and execute their BAA.
SMS is a particularly common BAA gap because many telehealth clinics use SMS for patient communication without recognizing that "patient name + appointment for your testosterone consultation" is PHI. Even a simple "Your results are ready" text, if it can be linked to a patient's identity and implies a health service, crosses the threshold.
6. Video and Telehealth Platforms
Video consultation platforms that host patient-provider encounters are processing some of the most sensitive PHI in your stack — real-time audio and video of clinical conversations. Zoom for Healthcare, Doxy.me, and other HIPAA-eligible video platforms offer BAAs. Standard consumer Zoom does not. If your providers are conducting consultations over a platform without a BAA, every session is a potential HIPAA violation.
Beyond the primary video platform, ancillary tools connected to clinical workflows — screen sharing tools, virtual waiting room systems, session recording storage — each require evaluation and, if PHI is involved, BAAs of their own.
7. Analytics and Business Intelligence Tools
This is the most commonly overlooked BAA category in telehealth. Clinics routinely integrate Google Analytics, Mixpanel, Amplitude, Segment, or similar platforms into their patient portals, intake flows, and clinical applications. If these analytics tools collect data on authenticated patient sessions — tracking what a logged-in patient clicks on, what forms they complete, or what pages they visit after a lab result is displayed — they are receiving PHI.
Google Analytics does not offer a BAA and explicitly prohibits PHI in its terms of service. Most consumer-grade analytics platforms are in the same position. If you use analytics in authenticated patient-facing environments, you either need a HIPAA-eligible analytics vendor with a BAA or an architecture that strips all PHI before data reaches the analytics layer. Many clinics have neither.
8. Lab Integration Partners
Quest Diagnostics, LabCorp, and any other laboratory that receives patient orders and returns results are business associates. The data flowing through lab integrations — patient demographics, ordered tests, and result values — is PHI by definition. Labs of this scale maintain HIPAA compliance programs and will execute BAAs as part of their provider onboarding process.
The gap often appears with smaller or specialty lab vendors, at-home testing kit companies, and health informatics platforms that aggregate or normalize lab data from multiple sources before returning it to your EHR. Each intermediary in the lab data chain that touches PHI needs its own BAA.
9. Compounding Pharmacy Systems
Compounding pharmacies that fill prescriptions for your patients are business associates. The prescriptions you transmit contain PHI: patient name, date of birth, prescriber NPI, diagnosis codes in some cases, and controlled substance details. Most established compounding pharmacies operating in the telehealth specialty medicine space maintain compliance programs and will execute BAAs. These same pharmacies also carry federal supply chain obligations under the Drug Supply Chain Security Act — see our guide to DSCSA compliance for compounding pharmacies for details.
The integration layer is the more complex issue. If your clinic uses a middleware platform, HL7/FHIR integration engine, or API gateway to route prescriptions to one or more compounding pharmacies, that middleware vendor is also handling PHI and requires its own BAA. Every node in the prescription transmission chain must be covered.
10. Medical Billing and Revenue Cycle Management
Billing vendors and RCM platforms that submit claims, manage denials, post payments, or handle patient collections process PHI extensively — names, diagnoses, procedure codes, insurance details, and payment records. This category also includes clearinghouses, which are specifically defined as covered entities under HIPAA and have their own compliance obligations, though you still need a BAA with your clearinghouse vendor.
Third-party billing companies that access your EHR on your behalf to pull claim data are business associates. If you outsource billing to a firm that logs into your systems or receives PHI exports, ensure the BAA is in place and that it specifies exactly what data access is permitted and how it may be used.
11. AI Tools and Chatbot Vendors
Artificial intelligence tools represent the newest and fastest-growing BAA compliance gap. If your clinic uses any of the following, a BAA is required before any patient data enters the vendor's system: AI clinical documentation and scribing tools that transcribe consultations, AI intake chatbots that collect patient symptoms and history, AI-powered clinical decision support, large language model APIs where patient context is submitted in prompts, and AI-driven follow-up or engagement tools that access patient records.
Standard tiers of ChatGPT (OpenAI), Google Gemini, and most consumer AI platforms do not offer BAAs and their terms of service explicitly prohibit PHI submission. If your clinical staff is pasting patient notes into these tools for summarization, documentation, or decision support, that is an active HIPAA violation. Healthcare-specific API tiers from these vendors — or purpose-built HIPAA-eligible AI platforms — with executed BAAs are the compliant path forward.
Comprehensive Vendor BAA Reference Table
The following table covers the vendor categories every telehealth clinic should evaluate. PHI exposure levels and BAA requirements are based on typical integration patterns; your actual requirement depends on your specific data architecture.
| Vendor Category | Common Examples | PHI Accessed | BAA Required? | Common Pitfall |
|---|---|---|---|---|
| EHR / Practice Management | Canvas Medical, Athenahealth, Practice Fusion, Jane App | Full clinical record, demographics, diagnoses, prescriptions | YES | Not executing BAA before go-live; assuming it is automatic |
| Cloud Infrastructure | AWS, Google Cloud, Microsoft Azure, DigitalOcean | All data stored or processed on platform | YES | BAA covers only HIPAA-eligible services; PHI in non-eligible services |
| Payment Processing | Stripe, Braintree, Square, Authorize.net | Patient name + service/product codes | CONDITIONAL | Assuming pure payment data has no PHI component |
| Transactional Email | SendGrid, Mailgun, Postmark, AWS SES | Patient name, appointment type, clinical notifications | YES | Using standard tier without activating HIPAA-eligible services |
| Marketing Email / CRM | Mailchimp, HubSpot, Klaviyo, ActiveCampaign | Patient identity + treatment-linked content | YES | Most consumer platforms refuse to sign BAAs; clinic continues using them |
| SMS / Messaging | Twilio, Bandwidth, Vonage, MessageBird | Patient name, appointment context, clinical alerts | YES | Standard Twilio is not HIPAA-eligible; HIPAA tier must be activated |
| Video / Telehealth Platform | Zoom for Healthcare, Doxy.me, VSee, Teladoc platform | AV of clinical encounters, session metadata | YES | Using consumer Zoom instead of Zoom for Healthcare |
| Analytics / Product Intelligence | Google Analytics, Mixpanel, Amplitude, Segment, FullStory | Patient session data in authenticated environments | YES (if PHI present) | Most do not offer BAAs; PHI in patient portal analytics is widespread |
| Lab Integration | Quest, LabCorp, Rupa Health, Everly Health | Orders, results, patient demographics | YES | Middleware or aggregation layers lacking BAAs |
| Compounding Pharmacy | Empower, Olympia, Tailor Made, Curexa | Prescriptions, patient demographics, Rx history | YES | Pharmacy has BAA but integration middleware layer does not |
| Medical Billing / RCM | Kareo, AdvancedMD, Veradigm, outsourced billing firms | Claims data, diagnoses, procedure codes, payments | YES | Outsourced billing firm accessing EHR without formal BAA on file |
| AI / LLM Tools | DeepScribe, Nabla, Suki, Azure OpenAI (HIPAA), Anthropic (HIPAA tier) | Clinical notes, transcripts, patient context in prompts | YES | Staff using consumer AI tools for clinical documentation without BAA |
| Patient Engagement / Portal | Phreesia, Klara, Luma Health, Spruce Health | Patient messaging, intake data, appointment history | YES | Third-party engagement tool used without BAA review |
| Data Backup / Disaster Recovery | Veeam, Datto, Acronis, cloud-native backups | All PHI in backup sets | YES | Backup vendor treated as infrastructure utility without BAA |
| e-Signature / Document Management | DocuSign, HelloSign, PandaDoc | Signed intake forms, consent documents with PHI | YES | Standard e-sign tier used; HIPAA-eligible tier not activated |
| Customer Support / Help Desk | Zendesk, Intercom, Freshdesk | Support tickets referencing patient conditions or orders | YES (if PHI present) | Clinical support tickets contain PHI; platform has no BAA |
What Every BAA Must Contain
HIPAA specifies the required elements of a BAA at 45 CFR 164.314(a)(2). A legally compliant BAA must address all of the following:
Permitted Uses and Disclosures
The BAA must specify what the business associate is permitted to do with PHI. This is not a blanket authorization — it should define the specific functions the vendor performs (e.g., "process payment transactions for healthcare services") and prohibit all other uses. A BAA that grants the vendor permission to "use PHI for any lawful purpose" is not compliant and gives up the minimum necessary protections the Privacy Rule requires.
Required Safeguards
The BAA must require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. For most technology vendors, this means requiring Security Rule compliance — administrative, physical, and technical safeguards — even if the vendor is not itself a covered entity. The BAA should specify the security standards you expect, not simply state that the vendor will maintain "appropriate" safeguards without definition. This is the right time to verify that the vendor implements field-level AES-256 encryption for PHI at rest, not just full-disk or database-level encryption.
Breach Notification Obligations
The business associate must agree to notify you of any discovery of a breach of unsecured PHI without unreasonable delay and no later than 60 days from discovery. Your BAA should push the notification timeline shorter than the regulatory maximum — 10 business days is a reasonable industry standard. The notification must include sufficient information for you to meet your own breach notification obligations to patients and HHS.
Subcontractor Requirements
The business associate must agree to ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees to the same restrictions and conditions as the business associate itself. This is the downstream BAA requirement. Your vendor's subcontractors are not your direct business associates, but your BAA with the vendor must require the vendor to push compliant terms down the chain.
Access to PHI for Patients and HHS
The BAA must include the business associate's agreement to provide access to PHI in its possession when required to satisfy your obligations to provide patients access to their records, and to make its internal practices and records available to HHS for audit and compliance review.
Return or Destruction of PHI
Upon termination of the relationship, the BAA must require the business associate to return or destroy all PHI in its possession, including copies in backup systems, and certify that it has done so. If return or destruction is not feasible, the business associate must extend the same protections to the retained PHI indefinitely and limit further uses or disclosures.
Termination Rights
The covered entity must have the right to terminate the BAA if the business associate has violated a material term and has not cured the breach within a specified period. The BAA should also specify what constitutes a material breach — unauthorized disclosure, failure to report a breach, subcontracting without downstream BAAs — and what the cure period is.
Common BAA Gaps That Create Direct Liability
The most dangerous BAA gaps are not the obvious ones — clinics know they need a BAA with their EHR. The gaps that trigger OCR investigations are the ones no one thought to check:
Analytics and Session Recording Tools in Patient Portals
This is the single most common compliance gap in telehealth. When a patient logs in to view lab results, review their prescription, or send a message to their provider, any analytics tool embedded in that authenticated session is receiving PHI. Session recording tools like FullStory or Hotjar, which capture actual user interactions, are capturing PHI if deployed in a patient portal without architectural safeguards to strip identifiers. Almost none of these tools offer BAAs because their core business model depends on data that HIPAA would prohibit them from using.
Marketing Platforms with Patient Segments
Specialty medicine clinics frequently build patient marketing segments that are inherently PHI-laden: "patients on testosterone protocol for 90+ days," "patients who haven't reordered peptides in 60 days," or "patients with a lab order in the last 30 days." Segmenting your patient population for marketing purposes and syncing those segments to a marketing platform that has not signed a BAA is a direct violation, even if the marketing platform never sees a diagnosis code. The combination of identity and health-service-related behavior is PHI.
Customer Support Platforms
Patients frequently contact support about clinical matters: delayed lab results, prescription questions, dosing concerns. If your support platform (Zendesk, Intercom, Freshdesk) does not have a BAA in place, every support ticket referencing a patient's treatment is an unauthorized PHI disclosure. Some support platforms offer HIPAA-eligible tiers; many do not.
Expired or Unsigned BAAs
BAAs are not perpetual by default. Some vendor BAAs include expiration dates tied to the underlying service contract. When a contract is renewed without reviewing the BAA, or when a BAA is presented for signature but never actually executed by an authorized officer, the gap is invisible until an incident surfaces it. An audit of your BAA register should confirm not just that a BAA exists for each vendor, but that it is signed by authorized parties on both sides and has not expired.
Acquisitions and Vendor Changes
When your vendor is acquired by another company, your BAA may not automatically transfer to the acquiring entity. The new parent company may have different data processing practices, different subcontractors, and different legal terms. Acquisitions should trigger a BAA review for all affected vendors.
OCR has issued findings and fines for BAA violations in the absence of any breach. The absence of a BAA is itself a HIPAA violation. In OCR v. University of Mississippi Medical Center (2016), missing BAAs contributed directly to the enforcement action even though the breach involved a stolen laptop, not a vendor failure. Missing BAAs signal a systemic compliance failure that invites broader scrutiny. When a breach does occur, missing BAAs eliminate the encryption safe harbor defenses that would otherwise limit your notification obligations — compounding the financial and regulatory exposure significantly.
How to Audit Your BAA Coverage
A BAA audit is a structured process of mapping every vendor that handles PHI against your register of executed BAAs. Here is the recommended procedure:
Build a Complete Vendor Inventory
List every software tool, API, platform, and service your clinic uses. Include tools used by clinical staff, administrative staff, billing staff, and marketing staff. Do not assume that non-clinical tools are exempt — the most common gaps are in marketing and analytics tools that non-clinical staff introduced without compliance review. Ask your team: "What tools do you use that touch patient information in any form?"
Classify PHI Exposure for Each Vendor
For each vendor, document whether PHI reaches their systems and in what form. Distinguish between vendors that receive identifiable PHI, vendors that might receive PHI under certain conditions (the payment processor example), and vendors that receive only de-identified data. Use this classification to determine BAA requirement status for each entry.
Cross-Reference Against Your BAA Register
Your BAA register should contain: vendor name, service category, PHI exposure classification, BAA execution date, BAA expiration date (if applicable), the specific document version executed, and the name and title of the signatory on both sides. For every vendor in your inventory with PHI exposure, verify a matching signed BAA entry exists.
Remediate Gaps Immediately
For each vendor missing a BAA: if the vendor offers a BAA, execute it immediately. If the vendor does not offer a BAA, immediately evaluate whether PHI can be architecturally removed from that vendor's data path. If PHI cannot be removed and the vendor will not sign a BAA, stop using the vendor for any PHI-touching function.
Document the Audit
HIPAA requires that you maintain documentation of your compliance activities for six years. Your audit record — vendor inventory, PHI classification, BAA status, and remediation actions — is part of your compliance documentation. Document the date of the audit, who conducted it, what gaps were found, and what remediation was taken.
Subcontractor Chain and Downstream BAAs
Every business associate you contract with may itself use subcontractors that process the PHI you entrusted to the business associate. Under HIPAA, your business associate is responsible for ensuring that its subcontractors — called "subcontractors" rather than "business associates" in the regulatory framework — are bound by the same terms your BAA imposes on the business associate itself.
Practically, this means that when your EHR stores data in AWS and uses a third-party authentication provider and a data analytics platform as subcontractors, your EHR's BAA must require it to execute BAAs with each of those subcontractors covering the PHI they process. You are not directly party to those agreements, but you have a right — and often contractual standing — to require that your business associate demonstrate its downstream BAA coverage.
The subcontractor chain is most complex in cloud-native application stacks where an EHR, practice management system, or telehealth platform may rely on dozens of third-party services. When evaluating vendors, ask:
- Do you maintain a list of all subcontractors that process PHI on your platform's behalf?
- Do you have executed BAAs with each of those subcontractors?
- Will you notify us if you change subcontractors who handle PHI?
- Can you provide evidence of your subcontractor compliance program upon request?
Vendors that cannot answer these questions clearly are exposing your clinic to risk through their subcontractor chain even if your direct BAA with them is in perfect order.
BAA Management as an Ongoing Process
The most common organizational failure around BAAs is treating them as a one-time contracting exercise. A BAA signed at vendor onboarding and never reviewed again creates hidden gaps as your technology stack evolves, vendors are acquired, service scopes change, and new tools are added without compliance review.
A mature BAA management program includes:
- New vendor intake process. Every new vendor evaluation must include a PHI exposure assessment before procurement approval. If PHI exposure is identified, BAA execution is a prerequisite to go-live — not an afterthought.
- Annual BAA register review. Once per year, audit your complete vendor list against your BAA register. Verify no expirations, confirm executed BAAs exist for all PHI-touching vendors, and update for any vendor changes.
- Trigger-based reviews. Conduct a BAA review immediately upon any vendor acquisition, significant contract change, new service feature that introduces PHI flows, security incident involving a vendor, or change in your own service offerings that affects data flows.
- Termination process. When ending a relationship with a vendor, invoke the return or destruction provision in your BAA and obtain written confirmation that PHI has been returned or destroyed. Document this in your compliance records.
- Staff training. Clinical and administrative staff who introduce new tools must understand that any tool touching patient information requires compliance review before deployment. A "shadow IT" culture — staff adopting tools without IT or compliance awareness — is the primary source of analytics and AI BAA gaps.
Consequences of Missing BAAs
The consequences of operating without required BAAs are direct and substantial. HIPAA treats a missing BAA as a violation in its own right, separate from any breach or patient harm.
OCR settlement with Premera Blue Cross (2020) in which BAA violations were a contributing factor. The settlement included a corrective action plan requiring comprehensive BAA audits across all business associate relationships — a process that consumed significant compliance resources beyond the fine itself.
Direct HIPAA Liability
OCR can investigate and fine your clinic for missing BAAs independently of whether any breach occurred. If your business associate experiences a breach and it is discovered that you did not have a BAA in place, your clinic bears direct liability for the business associate's unauthorized handling of PHI — even if the breach happened entirely within the vendor's systems.
Loss of Business Associate's Direct Liability
Without a BAA, the business associate does not assume independent HIPAA liability. Without that framework, your contractual rights are limited to whatever the vendor's standard terms of service say — which typically includes broad liability limitations and no HIPAA-specific obligations. The BAA is the instrument that makes the vendor a responsible party. Without it, you are essentially your own insurer for the vendor's failures.
Breach Notification Complications
When a vendor experiences a breach and there is no BAA in place, there is no contractual obligation for the vendor to notify you promptly. You may learn of a breach affecting your patients from a news report rather than from the vendor. Without timely notification, you cannot meet your own 60-day breach notification deadline to patients and HHS, adding a second HIPAA violation to the first.
State Law Penalties
Several states have enacted health data privacy laws with penalty structures that stack on top of HIPAA fines. California's CMIA, New York's SHIELD Act, and similar statutes can impose additional per-violation penalties. Missing BAAs that contributed to a breach can trigger these state-level enforcement actions in parallel with OCR investigations.
BAA Provisions Checklist
Use this checklist when reviewing a vendor-provided BAA before signing, or when drafting your own BAA template to present to vendors.
When a vendor presents their standard BAA for your signature, evaluate it against this checklist. Required provisions that are missing should be flagged as non-starters. Recommended provisions should be negotiated — particularly the breach notification timeline, the prohibition on AI training with PHI, and indemnification terms, which are the provisions with the greatest practical impact on your exposure.
Frequently Asked Questions
What is a Business Associate Agreement (BAA) and when is it required?
A BAA is a legally binding contract required by HIPAA (45 CFR 164.308(b) and 164.314(a)) between your clinic and any vendor that creates, receives, maintains, or transmits Protected Health Information on your behalf. It is required whenever a vendor has any exposure to PHI — even incidental, temporary, or encrypted storage — in order to perform services for you. This covers your EHR, cloud host, email provider, SMS platform, video conferencing tool, payment processor, analytics tools, lab partners, compounding pharmacy systems, billing vendors, and any AI or chatbot tools. A missing BAA is a HIPAA violation in itself, regardless of whether a breach ever occurs.
Do payment processors like Stripe need a BAA?
It depends on your integration architecture. Pure payment data — card number, expiration date, billing address — is PCI-DSS governed, not HIPAA regulated. However, if the transaction record links a patient's identity to a healthcare service description, subscription plan, or product code that reveals the nature of their treatment, PHI is in play and a BAA is required. Most major payment processors including Stripe offer BAAs for healthcare customers; activating one is a low-friction step that protects you if your integration inadvertently passes PHI context. When in doubt, execute the BAA.
What happens if a vendor won't sign a BAA?
If a vendor that handles PHI refuses to sign a BAA, you have two legally permissible options: restructure your integration to ensure PHI never reaches that vendor's systems, or stop using the vendor for any PHI-touching function. You cannot continue using a vendor that touches PHI without a signed BAA. This situation most commonly arises with general-purpose marketing automation platforms, analytics tools, and consumer AI platforms. If restructuring is not feasible and the vendor will not execute a BAA, the vendor is incompatible with HIPAA and must be replaced.
Does a BAA protect my clinic from liability if a vendor has a breach?
A BAA significantly limits but does not eliminate your exposure. With a properly executed BAA in place, your business associate assumes direct HIPAA liability for its own violations under the HITECH Act, and OCR can investigate and fine the vendor directly. Your clinic remains liable if you knew of ongoing violations and failed to act, if you failed adequate due diligence before engaging the vendor, or if your own safeguards were inadequate. The BAA also gives you contractual rights — breach notification timelines, audit access, termination triggers — that you have no basis to demand without one. A BAA is required infrastructure, not optional risk transfer.
Do AI tools and chatbots used in a clinic require a BAA?
Yes, if the AI tool processes any PHI. AI scribing tools that transcribe consultations, intake chatbots that collect patient symptoms, clinical decision support tools, and any large language model API where patient context is submitted as part of a prompt all require BAAs before PHI is sent to the vendor's infrastructure. Standard tiers of ChatGPT, Google Gemini, and most consumer AI platforms do not offer BAAs and explicitly prohibit PHI submission in their terms of service. Healthcare-specific API tiers with BAAs exist; these are the only compliant path for AI tools that process PHI.
How often should a telehealth clinic audit its BAA coverage?
Conduct a formal BAA audit at minimum annually, and immediately when any of the following occur: a new vendor is added to your tech stack, a vendor contract is renewed or materially changed, a vendor is acquired (which may change the data processing entity), your clinic adds a new service line that introduces new PHI data flows, or any security incident involving a business associate occurs. The annual audit should cross-reference your complete vendor inventory against your signed BAA register, verify no BAAs have expired, confirm subcontractor BAA chains are intact, and document the results. BAA management is a continuous compliance function.
LUKE Health Comes With BAAs Ready to Sign
LUKE Health is built specifically for HIPAA-compliant specialty medicine telehealth. The platform maintains executed BAAs across its entire vendor stack — cloud infrastructure, lab integrations, compounding pharmacy connections, SMS, email, and payment processing — so you are not left managing a web of individual vendor agreements.