A business associate agreement (BAA) is the HIPAA-required contract between you and any vendor that handles protected health information on your behalf. It obligates that vendor to safeguard PHI, limit how it is used, report breaches, and let you audit them. Every cloud host, database, messaging provider, analytics tool, video SDK, and AI API that touches PHI needs one. Most reputable vendors provide a BAA at no extra cost, and you should have every BAA signed before any patient data flows.
What a business associate agreement is
A BAA is a contract required by HIPAA whenever a covered entity (a provider, health plan, or clearinghouse) or another business associate hands protected health information to a vendor that will create, receive, maintain, or transmit it on their behalf. That vendor becomes a "business associate," and the BAA is what legally binds them to HIPAA's safeguards. Without it, the disclosure of PHI to the vendor is itself a violation, regardless of how secure the vendor actually is.
Think of the BAA as the legal layer that sits on top of the technical controls in our HIPAA-compliant app development guide. Encryption, access control, and audit logging protect the data; the BAA extends your HIPAA obligations down the supply chain so every party touching PHI is contractually on the hook. If you are working through HIPAA for the first time, pair this guide with how to make an app HIPAA compliant.
Who needs a BAA (and who doesn't)
You need a BAA with any vendor that handles PHI on your behalf. The table below maps the vendors a typical healthtech MVP touches against whether a BAA is required.
| Vendor type | BAA required? | Why |
|---|---|---|
| Cloud hosting (AWS, GCP, Azure) | Yes | Stores and processes PHI; all major clouds offer a BAA |
| Managed database | Yes | Maintains PHI at rest |
| Email / SMS provider | Yes, if PHI is in messages | Transmits and may store PHI |
| Video SDK (telehealth) | Yes | Transmits a live PHI encounter |
| AI / LLM API | Yes, if PHI is sent | Processes PHI in prompts and outputs |
| Analytics / error monitoring | Yes, if it can capture PHI | May ingest PHI from screens, logs, or payloads |
| Payment processor | Usually no | Payment-only is exempt; but watch for PHI bleed |
| Pure encrypted conduit | Often no | Transient transport without access may be a conduit |
Two edge cases trip teams up. The "conduit exception" is narrow: it covers transient transport like an ISP, not a vendor that stores data even briefly. And the payment exception is about financial transactions only, so if PHI leaks into a payment description or metadata, you may need a BAA there too. When in doubt, get the BAA.
One more category to watch is your own internal tooling. Customer support platforms, ticketing systems, and shared inboxes routinely accumulate PHI when patients paste medical details into a message. If a vendor's product becomes a place where PHI lands, even unintentionally, it has crossed into business-associate territory and needs a BAA. The safest posture is to assume any tool your team uses to communicate with or about patients will eventually hold PHI, and choose accordingly.
The required clauses every BAA must contain
HIPAA specifies the minimum content of a BAA. A valid agreement obligates the business associate to do the following, so read any vendor BAA against this list before you sign.
- Permitted uses and disclosures. The vendor may only use or disclose PHI as the contract and HIPAA permit, and not more broadly.
- Appropriate safeguards. The vendor must implement administrative, physical, and technical safeguards, including the Security Rule requirements for electronic PHI.
- Breach and incident reporting. The vendor must report security incidents and breaches of unsecured PHI to you, within a defined timeframe.
- Subcontractor flow-down. Any subcontractor the vendor uses to handle PHI must agree to the same restrictions via its own BAA.
- Individual rights support. The vendor must help you meet patients' access and amendment rights and provide an accounting of disclosures.
- Availability to regulators. The vendor must make its practices and records available to HHS for compliance review.
- Return or destruction. On termination, the vendor must return or destroy all PHI where feasible.
- Termination for breach. You can terminate if the vendor materially violates the agreement.
If a vendor's BAA is missing breach reporting, subcontractor flow-down, or the return-or-destroy clause, it is not a compliant BAA. These clauses are why a BAA is more than a formality: they are how your compliance obligations survive a vendor relationship ending or a subcontractor being added.
A practical vendor BAA checklist
Use this checklist when evaluating any vendor that will touch PHI. It will save you from discovering a gap during a breach or an audit, which is the worst possible time.
- Does the vendor offer a BAA at all? If not, it is disqualified for PHI, full stop.
- Is the BAA self-serve or negotiated? Click-through BAAs keep your timeline clean; negotiated ones need legal lead time.
- Which specific services are in scope? Many vendors cover only certain products under their BAA. Confirm your exact services qualify.
- Where is data stored, and is it encrypted at rest and in transit? Map this to your data-residency needs.
- What is the breach-notification window? Shorter is better; verify it meets your downstream obligations.
- Are subcontractors covered? Confirm the flow-down and ask who the major subprocessors are.
- Independent attestations? A SOC 2 report supports, but does not replace, a BAA. See SOC 2 compliance for healthtech startups.
Keep a living vendor register that lists every PHI-touching vendor, the signed BAA, the in-scope services, and the renewal or review date. Auditors and acquirers will ask for it, and it is far easier to maintain from day one than to reconstruct later.
BAAs and AI vendors: the 2026 wrinkle
The fastest-growing BAA gap in 2026 is AI. If you send any PHI to an LLM or AI API, that provider is a business associate and needs a BAA, and not every AI vendor offers one. Major cloud providers offer HIPAA-eligible AI services under their existing BAA, but consumer-grade endpoints typically do not. Before you pipe patient data into a model, confirm the BAA covers the specific AI service, and design your pipeline so PHI only reaches BAA-covered endpoints. Better still, de-identify first where possible, as we cover in de-identification of health data, and read building AI with patient data for the full architecture.
Cost: what BAAs actually add to a build
The direct cost of a BAA is usually low, but the architectural discipline of staying on BAA-eligible vendors has real implications for how you build.
| Item | Typical 2026 cost | Notes |
|---|---|---|
| Standard vendor BAA | $0 | Most major clouds and SaaS include it free |
| Legal review per BAA | $500 - $2,000 | For negotiated or non-standard agreements |
| Architecting to BAA-only stack | Built into MVP scope | Vendor selection and data-flow design |
For the full build picture, see healthcare app development cost and how much an AI MVP costs, or size your scope with the AI MVP Cost Calculator.
Common BAA mistakes to avoid
- Sending PHI before the BAA is signed. Even a brief pre-signature test with real data is a violation.
- Assuming a BAA covers all of a vendor's products. Coverage is often service-specific; confirm yours qualifies.
- Forgetting analytics and error monitoring. Session-replay and crash tools quietly capture PHI from screens and payloads.
- Treating SOC 2 as a substitute. SOC 2 is an attestation, not a contract that binds the vendor to HIPAA.
- Ignoring subcontractor flow-down. Your obligations extend down the chain whether you track it or not.
- No vendor register. If you cannot list every PHI vendor and its BAA, you cannot prove compliance.
We cover more of these in healthtech MVP mistakes. This is general information, not legal advice; consult qualified healthcare counsel to review your specific BAAs and vendor relationships.
How SpeedMVPs handles BAAs and vendor compliance
SpeedMVPs is an AI MVP studio that ships production-ready, HIPAA-ready MVPs in 2 to 3 weeks with fixed pricing and direct developer access. We default to a stack where every PHI-touching vendor already offers a BAA, so paperwork stays off the critical path. We architect a clean PHI boundary, keep PHI out of analytics and logs unless the tool is BAA-covered, and hand you a vendor register documenting every agreement and the services it covers. When a build needs an AI layer, we route PHI only to BAA-eligible endpoints or de-identify first.
For the broader process, our healthtech MVP development guide ties compliance into the rest of the build, and the AI development agency checklist covers the BAA and compliance questions worth asking any partner.
Ready to get your BAAs and compliance right?
If you are building a product that handles PHI and want your vendor agreements and architecture right from day one, let's scope it. We will map your PHI flows, identify every vendor that needs a BAA, and give you a fixed price and timeline. Book a free discovery call to get started, or explore our AI MVP Development service to see how we ship compliant from the first commit.
