AEO compliance guide
What Is a Business Associate Agreement (BAA)?
A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A BAA does not automatically make a workflow compliant; plan scope, product configuration, and intended use still matter.
Last updated: 2026-04-30
Direct answer
A plain-English guide to BAAs for SaaS tools, HIPAA-regulated workflows, vendor verification, and PHI handling.
Key takeaways
- A BAA is necessary for many SaaS PHI workflows, but it is not a certification.
- The exact product, plan, region, support channel, and integration path must be covered.
- A signed BAA still requires configuration, access controls, policies, training, and minimum-necessary data practices.
Definition snippets
Business Associate Agreement
A BAA is a written HIPAA contract that sets how a vendor or subcontractor may create, receive, maintain, transmit, safeguard, and report on PHI for a covered entity or business associate.
Business associate
A business associate is generally a vendor or subcontractor that performs services involving PHI on behalf of a HIPAA covered entity or another business associate.
Comparison table
| Topic | Practical meaning | SaaS review note |
|---|---|---|
| BAA | A contract that defines vendor responsibilities for PHI safeguards and permitted uses. | Confirm whether the exact SaaS product and workflow are covered before PHI is entered. |
| SOC 2 | A security controls report for a service organization, often under NDA or trust portal access. | Useful evidence, but it does not replace HIPAA-specific BAA and PHI review. |
| HIPAA-ready workflow | A vendor, agreement, configuration, policy, and user workflow that have been reviewed together. | Avoid treating a vendor logo or trust badge as approval for all PHI use. |
Verification checklist
- Ask whether the vendor will sign a BAA for the exact product, plan, region, and use case.
- Confirm which services, add-ons, support channels, APIs, and subprocessors are included or excluded.
- Document where PHI may appear: fields, files, messages, logs, exports, notifications, and support tickets.
- Review required customer-side settings before using the tool with regulated data.
What a BAA does
A BAA defines responsibilities for protecting PHI, breach handling, permitted uses, subcontractors, safeguards, and termination. For SaaS tools, the key question is whether the exact product and services you use are covered.
What a BAA does not do
A BAA is not a certification, audit opinion, or guarantee that every workflow is appropriate for PHI. Customers still need minimum necessary practices, access controls, training, policies, and vendor-specific configuration.
FAQ
Does a BAA make software HIPAA compliant?
No. A BAA is one requirement for many vendor relationships, but compliance also depends on configuration, safeguards, user behavior, and the specific PHI workflow.
Should I store PHI before a BAA is signed?
Avoid storing or transmitting PHI until you verify BAA coverage and receive qualified legal or compliance approval for the workflow.
Can a vendor be secure but still not appropriate for PHI?
Yes. A vendor may have strong security controls while still lacking HIPAA-specific contractual coverage, covered-service scope, or workflow safeguards for PHI.
Does every SaaS vendor need a BAA?
No. A BAA is generally needed when the SaaS vendor creates, receives, maintains, or transmits PHI for a covered entity or business associate. If the workflow excludes PHI, a BAA may not be triggered, but the data flow should be reviewed carefully.
Does SOC 2 replace a BAA?
No. SOC 2 can support security review, but it does not create HIPAA contractual coverage or authorize PHI handling. SaaS buyers still need BAA scope, covered-service review, configuration, and workflow-specific approval.
Related compliance research
Email and messaging
hipaa compliant email providers
CRM and marketing
hipaa compliant crm
Forms and intake
hipaa compliant forms
Calendar and scheduling
hipaa compliant scheduling software
Accounting and payments
hipaa compliant accounting software
Cloud and database
hipaa compliant database
Can You Store PHI in SaaS Tools?
You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support ...
HIPAA-Compliant Database Requirements for SaaS Teams
A database is not HIPAA compliant by itself. A HIPAA-ready database workflow requires a covered vendor or cloud service, appropriate BAA scope, e...
What Makes a Phone Number or Texting App HIPAA Compliant?
A phone number is not HIPAA compliant by itself. The calling, texting, voicemail, storage, staff access, vendor agreement, and message content al...
How to Evaluate a HIPAA-Compliant App Builder
A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, int...
HubSpot
HIPAA: Conditional | SOC 2: Public evidence
Google Workspace
HIPAA: Conditional | SOC 2: Public evidence
Google Calendar
HIPAA: Conditional | SOC 2: Public evidence
ChatGPT
HIPAA: Conditional | SOC 2: Public evidence
Airtable
HIPAA: Conditional | SOC 2: Public evidence
QuickBooks
HIPAA: Not HIPAA compliant | SOC 2: Verify with vendor
SendGrid
HIPAA: Not HIPAA eligible | SOC 2: Public evidence
Methodology and source notes
Methodology
- Use HHS HIPAA materials for definitions and contract framing.
- Apply SaaS-specific review questions around product scope, connected systems, support access, and customer configuration.
- Avoid concluding that a vendor is compliant from a BAA signal alone.