A Business Associate Agreement (BAA) is a contract between you and any vendor who handles protected health information on your behalf. No BAA means you're already in violation of HIPAA—even if no breach ever occurs.
This guide explains what BAAs are, who needs them, what they must include, and how to ensure you're covered with every vendor who touches your client data.
What Is a Business Associate?
A business associate is any person or entity that:
- Creates, receives, maintains, or transmits PHI on your behalf
- Performs functions or activities involving PHI for you
Common Business Associates for Therapists
| Vendor Type | Examples | Why They're a BA |
|---|---|---|
| EHR/Practice Management | SimplePractice, TherapyNotes, Jane App | Stores all client records |
| Telehealth Platform | Doxy.me, Zoom Healthcare, VSee | Transmits session video/audio |
| Billing Service | External billing company | Processes claims with PHI |
| Clearinghouse | Availity, Office Ally | Transmits claims to payers |
| Cloud Storage | Google Workspace, Dropbox Business | If you store PHI there |
| Email Service | Hushmail, Paubox | If you send PHI via email |
| Answering Service | Virtual receptionist | May take messages with PHI |
| IT Support | Tech support company | May access systems with PHI |
| Shredding Company | Document destruction | Handles paper records with PHI |
What Is a BAA?
A Business Associate Agreement is a written contract that:
- Establishes what the business associate can do with PHI
- Requires the BA to protect PHI appropriately
- Specifies breach notification requirements
- Gives you rights to terminate if they violate HIPAA
Why It Matters
Without a BAA, you are violating HIPAA by sharing PHI with that vendor—even if:
- The vendor is reputable
- No breach has occurred
- The vendor claims to be "HIPAA compliant"
"HIPAA compliant" means nothing without a signed BAA.
Required BAA Elements
HIPAA specifies what a BAA must include:
1. Permitted Uses and Disclosures
The BAA must establish:
- What the BA is allowed to do with PHI
- That BA won't use PHI except as permitted
- Limits on further disclosure
2. Safeguards
The BA agrees to:
- Use appropriate safeguards to prevent unauthorized use
- Implement Security Rule requirements (for ePHI)
- Protect the confidentiality, integrity, and availability of PHI
3. Reporting Requirements
The BA must:
- Report any unauthorized use or disclosure
- Report security incidents
- Notify you of breaches
4. Subcontractor Requirements
If the BA uses subcontractors:
- BA must ensure subcontractors agree to same restrictions
- Must have BAAs with their subcontractors
5. Individual Rights
The BA must:
- Make PHI available to individuals who request access
- Support amendments to PHI
- Provide accounting of disclosures
6. HHS Access
The BA must:
- Make records available to HHS for compliance investigations
- Make internal practices and records available for determining compliance
7. Termination
- Return or destroy PHI at termination
- If return/destruction isn't feasible, continue protections
Getting BAAs from Vendors
How to Obtain a BAA
Most HIPAA-aware vendors provide BAAs through:
- Account setup process (checkbox or click-through)
- Settings or compliance section of their platform
- Request to support/sales team
- Contract addendum
Ask these questions:
- Do you provide a Business Associate Agreement?
- Where can I access and sign it?
- Do you have a BAA with your subcontractors?
What If They Don't Offer a BAA?
If a vendor handles PHI but won't provide a BAA:
- Don't use them for anything involving PHI
- Find an alternative vendor that offers BAAs
- Never assume "they're probably fine"
Red Flags
- "We're HIPAA compliant" but won't provide BAA
- "Our security is good enough"
- "HIPAA doesn't apply to us"
- Unable to explain their security measures
BAAs by Vendor Category
EHR/Practice Management Software
You must have a BAA. These systems store your entire client database.
| Vendor | BAA Available | How to Access |
|---|---|---|
| SimplePractice | Yes | Part of Terms of Service |
| TherapyNotes | Yes | Account settings |
| Jane App | Yes | Compliance settings |
| TheraNest | Yes | Account agreement |
Telehealth Platforms
You must have a BAA. Sessions transmit sensitive content.
| Vendor | BAA Available | How to Access |
|---|---|---|
| Doxy.me | Yes | Account settings |
| Zoom for Healthcare | Yes | Healthcare plan agreement |
| VSee | Yes | Account setup |
Note: Standard Zoom, FaceTime, and Skype don't offer BAAs—don't use them.
Cloud Storage
BAA required if storing PHI.
| Vendor | BAA Available | Notes |
|---|---|---|
| Google Workspace | Yes | Business/Enterprise plans with BAA enabled |
| Microsoft 365 | Yes | Business plans with BAA |
| Dropbox Business | Yes | Business plans only |
| Apple iCloud | No | Don't store PHI in iCloud |
Email Services
BAA required if sending PHI via email.
| Vendor | BAA Available | Notes |
|---|---|---|
| Hushmail | Yes | Healthcare plan |
| Paubox | Yes | Healthcare-focused |
| Google Workspace | Yes | With BAA enabled |
| Microsoft 365 | Yes | Business plans |
| Regular Gmail | No | Don't send PHI |
HIPAA Compliant Email and Texting →
Managing Your BAAs
Documentation
Keep records of all BAAs:
- Copy of signed agreement
- Date signed
- Vendor contact information
- What PHI they handle
Regular Review
Review your BAAs periodically:
- Annual review is good practice
- Check when vendors update terms
- Verify coverage when adding new vendors
Vendor Changes
When vendors change:
- Ensure data is returned or destroyed
- Get confirmation of destruction
- Update your documentation
What Happens Without a BAA?
You're Already Violating HIPAA
Sharing PHI with a vendor without a BAA is itself a violation—regardless of whether any breach occurs.
Penalty Exposure
If HHS investigates:
- Fines for impermissible disclosure
- Required corrective action
- Potential public disclosure of violation
Breach Complications
If that vendor has a breach:
- You may be liable for the breach
- Notification requirements fall on you
- No contractual protection for damages
Insurance Issues
Malpractice/cyber insurance may not cover:
- Breaches involving non-compliant vendors
- Claims arising from HIPAA violations
Subcontractors and Downstream BAAs
Your vendors often use subcontractors (cloud hosting, payment processing, etc.).
Your Vendor's Responsibility
Your BAA should require vendors to:
- Have BAAs with their subcontractors
- Ensure subcontractors meet HIPAA requirements
- Be responsible for subcontractor compliance
Your Responsibility
You don't need direct BAAs with your vendors' subcontractors—but you should:
- Ask vendors about their subcontractors
- Understand who ultimately handles your PHI
- Verify vendors have appropriate downstream BAAs
Frequently Asked Questions
- Do I need a BAA with my EHR software provider?
- Yes. Any software that stores, processes, or transmits protected health information (PHI) requires a BAA. This includes EHR systems, practice management software, telehealth platforms, scheduling tools, and billing services. Most reputable vendors provide BAAs as part of their service agreement.
- What happens if a business associate violates HIPAA?
- Both the business associate and the covered entity (you) can face penalties. As the covered entity, you're responsible for ensuring your BAA is in place and that you've done due diligence in selecting compliant vendors. If a breach occurs due to a business associate's negligence, they bear primary liability, but you may face scrutiny for your vendor selection and oversight.
- Do I need a BAA with Google or Microsoft for email?
- If you use standard Gmail or Outlook for client communication containing PHI, yes—and standard free accounts don't offer BAAs. You need Google Workspace (paid) or Microsoft 365 Business (paid) to obtain a BAA. Better yet, use a HIPAA-compliant email service designed for healthcare or communicate through your EHR's secure messaging.
- Is a BAA required for my accountant or billing service?
- Yes, if they access PHI. Medical billers, clearinghouses, and accountants who see client names, diagnoses, or session dates need BAAs. Some accountants only see de-identified financial data (amounts without client names)—in that case, no BAA is required. Clarify exactly what information they'll access.
- How long should I keep BAAs on file?
- HIPAA requires you to retain BAAs for six years from the date of creation OR six years from when the agreement was last in effect, whichever is later. Keep BAAs even after you stop using a vendor, as you may need them for audit purposes.
A BAA is your first line of defense when working with vendors. No signed BAA = HIPAA violation, regardless of how secure the vendor claims to be. Audit your vendors, get your BAAs documented, and don't work with anyone who won't provide one.