HIPAA Business Associate Agreement

A HIPAA BAA is a contract under which a SaaS or AI vendor takes on the legal obligations of a HIPAA business associate when handling protected health information.

What is a HIPAA BAA?

A HIPAA Business Associate Agreement is a contract required under the U.S. Health Insurance Portability and Accountability Act whenever a covered entity (a healthcare provider, health plan, or clearinghouse) shares Protected Health Information (PHI) with a third-party service provider. The vendor signs the BAA and accepts the legal duty to safeguard PHI under the same standards as the covered entity.

For AI vendors, the BAA is the contractual instrument that makes it lawful to send PHI through their system. Without a signed BAA, sending PHI to a SaaS or AI tool is a HIPAA violation by the covered entity, regardless of how secure the vendor's platform is.

What a BAA actually requires

Under the HIPAA Privacy and Security Rules (45 CFR §§ 164.502, 164.504, 164.314), a BAA must obligate the business associate to: use PHI only for permitted purposes, implement appropriate safeguards, report breaches and security incidents, ensure sub-processors agree to the same restrictions, return or destroy PHI at contract termination, and make books and records available to HHS for compliance review.

If an AI vendor offers a "BAA" but excludes incident reporting, sub-processor flow-down, or termination data return, ask why. Standard BAA terms are well established; deviations should have a documented rationale.

BAA + AI: the new wrinkle

AI vendors that route prompts through upstream model providers (OpenAI, Anthropic, Google, Mistral) need a BAA from each upstream that may see PHI. A vendor offering a BAA themselves does not cover sub-processors automatically. Ask: is the upstream model API in scope of your BAA? If yes, what is their HIPAA stance? Some upstream providers offer BAAs only to enterprise tier customers with specific configuration. Confirm the chain end-to-end.