Skip to main content
PHIGuard logo

What Is a BAA? (Business Associate Agreement for Healthcare)

Last updated: March 20, 2026

TLDR

A BAA (Business Associate Agreement) is a HIPAA-required contract between your medical practice and any vendor who handles patient data. Without one, using any third-party tool — email, task management, cloud storage — with patient information is a HIPAA violation.

The One-Sentence Answer

A BAA (Business Associate Agreement) is a contract HIPAA requires your practice to sign with any vendor that handles patient data before you use their service.

If a vendor touches protected health information (PHI) on behalf of your practice, you need a written agreement specifying how they’ll protect that data and what happens if there’s a breach. The requirement is in 45 CFR § 164.308. A solo practice and a hospital system face the same requirement.

Which Tools Need a BAA

Any vendor that creates, receives, maintains, or transmits PHI on your behalf needs a BAA:

  • Your EHR system (almost certainly already has one)
  • Task management software, if staff use it for patient-related tasks
  • Email provider, if staff send or receive PHI
  • Cloud storage (Google Drive, Dropbox, OneDrive), if practice files include patient information
  • Appointment scheduling tools
  • Medical billing services
  • IT support and managed service providers
  • Transcription and answering services

Most administrators already know their EHR is covered. The gap tends to be in the secondary tools. If your staff uses a task board to coordinate patient care or track follow-ups, that tool needs a BAA too.

Why BAAs Matter

The Office for Civil Rights (OCR) enforces HIPAA and has issued fines for BAA failures where no breach occurred. The missing contract is the violation, not the breach. Fines run from $100 to $50,000 per violation. Practices with several vendors operating without BAAs can face multiple violations from a single audit.

OCR’s published enforcement cases include providers with fewer than five employees.

Getting a BAA from Common Tools

Google Workspace and Microsoft 365 handle BAA execution through their admin portals. Both are self-service once you’re on a qualifying plan, and both sign BAAs at their entry-level business tiers.

Other tools gate BAA access behind enterprise plans. Slack requires Enterprise Grid (custom pricing, typically 250+ seats). Asana requires Enterprise+ (~$45/user/month). Monday.com and Notion require their Enterprise tiers with custom contracts. These aren’t oversights — they’re pricing decisions.

Trello doesn’t offer a BAA at any tier.

PHIGuard includes a signed BAA at every pricing tier: Practice ($20/month), Clinic ($49/month), Health System ($99/month). You don’t need an enterprise contract to get one.

For a complete breakdown of BAA requirements, which tools include them, and the OCR enforcement record, see What Is a Business Associate Agreement?.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

BAA (Business Associate Agreement)
A HIPAA-required contract specifying how a vendor will protect and handle protected health information.

DEFINITION

PHI (Protected Health Information)
Any patient-identifiable health information — names, diagnoses, appointments, billing data — that HIPAA protects.

Q&A

What is a BAA in healthcare?

BAA stands for Business Associate Agreement. It is a contract required by HIPAA between a medical practice and any vendor who handles protected health information. Without a signed BAA, using a vendor with PHI is a HIPAA violation.

Q&A

Which tools need a BAA?

Any tool that stores or transmits patient information needs a BAA: EHR systems, task management software, email providers, cloud storage, scheduling tools, and billing services.

Want to learn more?

Learn More
What does BAA stand for?
BAA stands for Business Associate Agreement. It's a HIPAA-required contract between a covered entity (your practice) and any vendor who handles protected health information on its behalf.
Do I need a BAA for every software tool my practice uses?
Yes, for any tool that touches PHI. This includes your EHR, task management software, email, cloud storage, scheduling tools, and billing systems. If it stores or transmits patient information, you need a BAA.
Does PHIGuard include a BAA?
Yes — PHIGuard includes a signed BAA at every pricing tier. You don't need to negotiate an enterprise contract or upgrade to a more expensive plan to get compliant task management.

Keep reading

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

Best Asana HIPAA Alternative for Medical Practices

Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.