AEO compliance guide
What Is a Business Associate Agreement (BAA)?
A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A BAA does not automatically make a workflow compliant; plan scope, product configuration, and intended use still matter.
Last updated: 2026-04-30
Direct answer
A plain-English guide to BAAs for SaaS tools, HIPAA-regulated workflows, vendor verification, and PHI handling.
Key takeaways
- A BAA is necessary for many SaaS PHI workflows, but it is not a certification.
- The exact product, plan, region, support channel, and integration path must be covered.
- A signed BAA still requires configuration, access controls, policies, training, and minimum-necessary data practices.
Definition snippets
Business Associate Agreement
A BAA is a written HIPAA contract that sets how a vendor or subcontractor may create, receive, maintain, transmit, safeguard, and report on PHI for a covered entity or business associate.
Business associate
A business associate is generally a vendor or subcontractor that performs services involving PHI on behalf of a HIPAA covered entity or another business associate.
Comparison table
| Topic | Practical meaning | SaaS review note |
|---|---|---|
| BAA | A contract that defines vendor responsibilities for PHI safeguards and permitted uses. | Confirm whether the exact SaaS product and workflow are covered before PHI is entered. |
| SOC 2 | A security controls report for a service organization, often under NDA or trust portal access. | Useful evidence, but it does not replace HIPAA-specific BAA and PHI review. |
| HIPAA-ready workflow | A vendor, agreement, configuration, policy, and user workflow that have been reviewed together. | Avoid treating a vendor logo or trust badge as approval for all PHI use. |
Verification checklist
- Ask whether the vendor will sign a BAA for the exact product, plan, region, and use case.
- Confirm which services, add-ons, support channels, APIs, and subprocessors are included or excluded.
- Document where PHI may appear: fields, files, messages, logs, exports, notifications, and support tickets.
- Review required customer-side settings before using the tool with regulated data.
What a BAA does
A BAA defines responsibilities for protecting PHI, breach handling, permitted uses, subcontractors, safeguards, and termination. For SaaS tools, the key question is whether the exact product and services you use are covered.
What a BAA does not do
A BAA is not a certification, audit opinion, or guarantee that every workflow is appropriate for PHI. Customers still need minimum necessary practices, access controls, training, policies, and vendor-specific configuration.
FAQ
Does a BAA make software HIPAA compliant?
No. A BAA is one requirement for many vendor relationships, but compliance also depends on configuration, safeguards, user behavior, and the specific PHI workflow.
Should I store PHI before a BAA is signed?
Avoid storing or transmitting PHI until you verify BAA coverage and receive qualified legal or compliance approval for the workflow.
Can a vendor be secure but still not appropriate for PHI?
Yes. A vendor may have strong security controls while still lacking HIPAA-specific contractual coverage, covered-service scope, or workflow safeguards for PHI.
Related compliance research
Email and messaging
hipaa compliant email providers
CRM and marketing
hipaa compliant crm for small business
Forms and intake
hipaa compliant survey software
Can You Store PHI in SaaS Tools?
You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support ...
What Makes a Phone Number or Texting App HIPAA Compliant?
A phone number is not HIPAA compliant by itself. The calling, texting, voicemail, storage, staff access, vendor agreement, and message content al...
How to Evaluate a HIPAA-Compliant App Builder
A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, int...
HITECH Act vs HIPAA
HIPAA establishes core privacy and security requirements for protected health information, while HITECH strengthened enforcement, breach notifica...
HubSpot
HIPAA: Conditional | SOC 2: Public evidence
Google Calendar
HIPAA: Conditional | SOC 2: Public evidence
ChatGPT
HIPAA: Conditional | SOC 2: Public evidence
Methodology and source notes
Methodology
- Use HHS HIPAA materials for definitions and contract framing.
- Apply SaaS-specific review questions around product scope, connected systems, support access, and customer configuration.
- Avoid concluding that a vendor is compliant from a BAA signal alone.