Business Associate Agreements (BAA): The Contract That Makes or Breaks Your Stack

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

The fastest way to fail a HIPAA review has nothing to do with weak ciphers — it is a vendor list with a missing contract. The Office for Civil Rights (OCR), HIPAA's enforcer, has settled cases where the only headline failure was an unsigned BAA: $750,000 for one orthopedic clinic, $31,000 for a pediatric practice whose storage vendor never had one. A telemedicine platform multiplies the risk because its vendor count grows fast: video infrastructure, recordings storage, transcription, scheduling, notifications, analytics. This article is for the founder, product manager, or hospital IT lead who needs to know which of those vendors need the contract, what the contract must say, what to check before signing — and how to audit the whole list in an afternoon.

The contract behind the key

In the HIPAA anchor article we used an analogy worth refreshing: a Business Associate Agreement is the signed promise every contractor must make before they get a key to the building. Patient data is the building. Any company that handles it for a healthcare organization gets a key — and HIPAA says nobody gets a key without the signed promise first.

The legal mechanics sit in two places. The Privacy Rule says a covered entity — the clinic, health plan, or telehealth medical group — may disclose PHI to a vendor only after obtaining "satisfactory assurances" that the vendor will safeguard it, and those assurances must be documented in a written contract (45 CFR §164.502(e)). The contract's mandatory content is spelled out in §164.504(e); the Security Rule mirrors the requirement for electronic PHI in §164.308(b) and §164.314(a). The vendor in this relationship is called a business associate — defined in §160.103 as anyone who creates, receives, maintains, or transmits PHI on a covered entity's behalf.

Three properties of this arrangement decide architectures, so they are worth stating plainly. First, the BAA is not a courtesy document; without it, the disclosure of PHI to the vendor is itself a HIPAA violation, even if no record ever leaks. Second, since the 2013 Omnibus Rule (78 FR 5566), business associates carry direct liability: OCR can investigate and fine a vendor without involving its customer. Third, the obligation cascades — a business associate must put the same contract on every subcontractor that touches the PHI (§164.502(e)(1)(ii), §164.504(e)(5)). The chain, not any single link, is the unit of compliance.

Follow the data: the chain has no gaps

Picture a typical build. A hospital contracts your company to run video visits. Your platform runs on a public cloud, carries calls through a video API, sends consult audio to a transcription service, and pushes visit summaries to the hospital's electronic health record (EHR) through an integration vendor. Count the contracts: the hospital signs BAA #1 with you. You sign BAA #2 with the cloud provider, BAA #3 with the video API vendor, BAA #4 with the transcription vendor, and BAA #5 with the EHR integration vendor. If the transcription vendor sub-processes audio through its own cloud account, that is a sixth agreement — between the transcription vendor and its cloud, not yours, but your contract with them must require it.

Figure 1. The BAA chain for a typical telemedicine build. Every hop where PHI lands on someone else's infrastructure needs its own signed agreement — the chain, not the link, is the unit of compliance.

Walk the arithmetic once, because the count surprises teams. One upstream agreement with your covered-entity customer, plus four downstream agreements with your own vendors, equals 1 + 4 = 5 signed contracts before your first production consult — and that is a lean stack. Add a notification service, an error tracker that sees request payloads, and a data warehouse, and 5 + 3 = 8. Your BAA inventory is the same list as your PHI map: if the risk analysis says PHI lands somewhere, a BAA covers that somewhere, or the architecture changes.

Two structural notes keep the chain honest. The subcontractor agreements must impose the same restrictions and conditions that flow from the original covered entity (§164.504(e)(5)) — the promises do not dilute as they cascade. And the law polices known rot: if you know a subcontractor is materially violating its agreement and you neither cure it nor terminate, you are out of compliance yourself (§164.504(e)(1)(iii)).

Who does not need one — and who only pretends not to

Not every vendor in your diagram is a business associate. HIPAA carves out a few roles, and knowing them precisely saves both over-papering and false confidence.

The conduit exception. A service that merely transports PHI without persistent access — the postal service, a courier, an internet service provider moving packets — is a conduit, not a business associate. The exception is deliberately narrow: HHS describes it as covering transmission-only services, including any storage that is purely transient and incidental to transmission. The test is persistence of access, not whether the vendor promises to look away. Email providers, fax services, messaging platforms, and cloud storage vendors all fail the test, because data sits on their systems persistently. When a vendor's sales page claims "we're just a conduit, no BAA needed" about anything that stores messages, recordings, or files — that is a claim to verify with counsel, not accept.

The no-view trap deserves its own paragraph. Teams regularly assume that encrypting data before it reaches a vendor removes the vendor from HIPAA's scope. HHS's cloud-computing guidance says the opposite: a cloud provider that stores encrypted ePHI is a business associate even if it cannot read the data and does not hold the decryption key. Lacking the key changes which Security Rule safeguards each side handles; it does not change the vendor's status or the need for a contract. Remember the section rule: encrypted is not compliant — encryption and the BAA solve different problems, and you need both.

Payment processing. Section 1179 of the HIPAA statute exempts financial institutions' payment activities — authorizing, processing, clearing, settling, billing, transferring, or collecting payments. Your card processor handling a co-pay transaction is not your business associate for that activity. The exemption stops at payment processing per se: a vendor running accounts-receivable workflows or storing invoices that describe treatments has crossed back into business-associate territory.

Your own workforce. Employees and contractors under your direct control are workforce members, not business associates — they are covered by your training, policies, and access controls instead of a contract with themselves.

Provider-to-provider treatment. A covered entity disclosing PHI to another provider for treatment — your platform's physician referring a patient to a specialist — does not need a BAA for that disclosure; treatment disclosures have their own permission.

Figure 2. The classification question, vendor by vendor. The safe default for anything that stores or processes PHI persistently is "business associate — get the contract."

The ten promises: what the contract must say

The required content of a BAA is not folklore; it is a list in §164.504(e)(2), and HHS publishes sample provisions on its own site. Stripped of legal phrasing, the contract must establish what the vendor may do with the PHI, and then extract ten promises. Each one lands somewhere in your product or process — this is the part of the article to read with your backlog open.

The contract must also give the covered entity the right to terminate for material breach (§164.504(e)(2)(iii)), and clause 2 has a measured carve-out: a business associate may use PHI for its own "proper management and administration" if the contract says so (§164.504(e)(4)). That carve-out is where modern trouble concentrates. A vendor's standard terms saying it "may use customer data to improve services" is acceptable for telemetry about its servers — and a violation waiting to happen if it reaches PHI. The adjacent clause to hunt for is de-identification rights: many vendors reserve the right to de-identify PHI and keep the result. That can be lawful when the de-identification meets the HIPAA standard — and it still deserves a deliberate yes or no from you, because de-identified-and-retained data trains someone else's product on your patients' consults.

Reading a vendor BAA in twenty minutes

Hyperscaler and platform BAAs are mostly take-it-or-leave-it, so the skill is not negotiation — it is knowing exactly what to check before you rely on one. Five checks cover most of the risk.

Scope: which products, which plans. A BAA covers named services, not the vendor's logo. AWS's agreement applies only to services on its HIPAA-eligible list (updated February 10, 2026); using a non-eligible service for PHI puts you outside the contract even with the BAA signed. Zoom signs BAAs on healthcare and eligible business plans, not free accounts. Video-API vendors gate BAAs to specific tiers. The verification question is always concrete: is the exact product, on the exact plan we pay for, covered in writing?

Your configuration obligations. Cloud BAAs ride on a shared-responsibility model: the vendor secures the infrastructure, you configure the services. The BAA does not retroactively bless a public recordings bucket. Signed contract plus default settings is the most common false-confidence state in telemedicine builds.

The breach-notice window. The Breach Notification Rule's outer limit for a business associate to notify the covered entity is 60 days from discovery (§164.410), but the covered entity's own 60-day patient-notice clock starts running at the same time — so real contracts compress the vendor's window to 5–10 days, sometimes 72 hours. Know your inbound windows (what your vendors owe you) and your outbound one (what your customers' BAAs demand of you), and put both in the incident runbook.

Termination mechanics. Clause 10 above sounds clean — return or destroy at termination — until you ask a vendor how. What is the deletion timeline across replicas and backups? Is there a destruction certificate? Is data export available in a usable format first? An offboarding you cannot execute is a clause you do not actually have.

AI-vendor specifics. Transcription, scribe, and language-model vendors are business associates the moment consult audio or notes reach them. The 2026 pattern among major AI API providers is a BAA available on request or on enterprise tiers, usually paired with a zero-data-retention configuration — and the configuration is part of the deal: process audio through an endpoint or mode outside the agreed scope and you have left the BAA's protection without touching a contract. Treat "BAA available" and "BAA applies to the exact endpoint and retention mode we use" as two separate facts to verify in writing.

Figure 3. The twenty-minute vendor-BAA review. Scope and plan first — most false confidence comes from a real signature on the wrong product.

The telemedicine stack, vendor by vendor

Here is the 2026 map of a typical telemedicine stack's BAA posture. Categories are stable; specific vendors, products, and plans change — verify directly with the vendor, in writing, before PHI flows.

BAA availability is per vendor, per product, per plan, per date. This table is a 2026 category map, not a substitute for the written confirmation step in the checklist below.

Where the BAA gap hides

Common mistake gallery — every one of these is a real audit finding pattern. The analytics SDK initialized at app launch, shipping device identifiers and consult-page URLs — both PHI identifiers — to a vendor that will never sign a BAA. Session recordings synced to a storage bucket on a developer's personal account: no BAA covers that account, and no risk analysis lists it. Appointment reminders flowing through a consumer email tier — "Reminder: your dermatology biopsy follow-up" is PHI in a subject line. A signed BAA with the cloud provider while the team uses a service that is not on the eligible list. A plan downgrade during cost-cutting that silently voids BAA eligibility. A vendor that quietly added a sub-processor your contract never flowed down to. And the quietest one: the BAA that was drafted, emailed, and never countersigned — the Center for Children's Digestive Health disclosed records to its storage vendor for years and could not produce a signed agreement when OCR asked; that absence alone cost $31,000.

Figure 4. Where the gap hides. The video call is rarely the violation — the periphery is: analytics, notifications, storage copies, and side channels nobody papered.

The pattern across all of these: the BAA gap is almost never the core video path, which everyone scrutinizes. It is the periphery — the same periphery that produces most telemedicine HIPAA failures.

What the missing contract costs

OCR's enforcement record makes the price of the gap concrete. Raleigh Orthopaedic Clinic paid $750,000 in 2016 after handing X-ray films and related PHI of about 17,300 patients to a vendor without any BAA. North Memorial Health Care paid $1,550,000 the same year in a case where the headline findings included a missing BAA with a major contractor. Advanced Care Hospitalists paid $500,000 in 2018 after using a billing service with no BAA — and no risk analysis. The Center for Children's Digestive Health's $31,000 settlement is the floor that proves the point: no breach drama, just years of disclosures to a records-storage vendor with no signed contract.

The exposure arithmetic explains why settlements land where they do. Under the penalty amounts effective January 28, 2026, violations run $145 to $73,011 each, with an annual cap of $2,190,294 per violated provision — and each impermissible disclosure can count separately. Walk one scenario out loud: appointment reminders for 200 patients a day flow through an un-BAA'd email tool. In 90 days that is 200 × 90 = 18,000 impermissible disclosures. Even at the tier-1 minimum of $145, the formula gives 18,000 × $145 = $2,610,000 — already above the $2,190,294 annual cap, which becomes the operative number. OCR settlements usually land far below the theoretical maximum, but the calculation is the regulator's leverage, and the 2026 penalty table resets upward each January.

Against that, the cost of closing the gap is small and mostly one-time: hyperscaler BAAs are self-service and free; healthcare tiers of communication platforms cost a plan delta; the engineering work is routing PHI away from vendors that will not sign. The asymmetry is the entire argument.

The BAA in 2026: from paperwork to evidence

One regulatory shift is worth planning for. The proposed HIPAA Security Rule update (90 FR 898, January 6, 2025 — still a proposed rule as of June 11, 2026) would turn the BAA relationship from a one-time signature into an annual evidence exchange: business associates would deliver every covered-entity customer a written verification of their technical safeguards, certified by a subject-matter expert, every 12 months, and notify customers within 24 hours of activating a contingency plan. Existing BAAs would get a transition period for re-papering. If it finalizes, your vendor files grow a new annual artifact in each direction — collected from every subcontractor, produced for every customer. The full change set, timelines, and the political state of the rulemaking are in our 2026 Security Rule article.

Two cousins worth knowing by name

If your platform serves substance-use-disorder treatment programs, a BAA alone is not enough: records covered by 42 CFR Part 2 require a Qualified Service Organization Agreement (QSOA), under which the vendor agrees to be fully bound by Part 2 and to resist efforts to obtain the records in legal proceedings — protections HIPAA does not impose. Many organizations use a combined QSOA/BAA. The specialty rules that trigger this are covered in state and specialty rules. And if you serve EU or UK patients, the GDPR analogue is the Article 28 data-processing agreement (DPA) — similar instinct, different law, and one never substitutes for the other; the mapping lives in our global health-data article.

Run the audit this week

The whole topic compresses into a four-step exercise a product team can run in an afternoon, no lawyers required for the first pass.

1. Inventory. List every system and vendor from your PHI map — including the unglamorous ones: error trackers, data warehouses, notification services, backup destinations.
2. Classify. For each: business associate, conduit, payment-exempt, workforce, or no-PHI. Use Figure 2; default anything persistent to "business associate."
3. Verify. For each business associate: a countersigned BAA on file; the exact product and plan covered in writing; your configuration matching the vendor's HIPAA guidance; the breach-notice window recorded in your runbook; the sub-processor list current.
4. Fix. For each gap: sign the agreement, upgrade to the covered tier, replace the vendor, or re-route the data so PHI never reaches it.

Print-ready version: Download the BAA vendor checklist — the classification test, the ten required clauses, the five contract checks, and a vendor-by-vendor worksheet on one page. The audit-grade version of this exercise, with evidence requirements per safeguard, is the HIPAA readiness checklist.

Where Fora Soft fits in

Fora Soft has built video software since 2005 — telemedicine platforms among 239+ shipped projects — and we treat the BAA chain as an architecture input, not an afterthought. When we scope a telemedicine build, the vendor map and the PHI boundary are drawn together: every component either has a BAA path, is self-hosted inside your boundary, or never sees PHI by design. That discipline shows up in concrete engineering — recordings pipelines on BAA-covered storage, transcription routed through agreed zero-retention endpoints, analytics that receive de-identified events only. If a HIPAA review is in your product's future, the cheapest time to close BAA gaps is before the vendor contracts are signed.

What to read next

• HIPAA in plain English for product teams
• The 2026 HIPAA Security Rule update — what changed and what it means for video
• Encryption for telemedicine: in transit, at rest, end-to-end

Building a telemedicine product whose vendor list has to survive a HIPAA review? Talk to our telemedicine team about HIPAA compliance, see our case studies, or download the BAA vendor checklist.

Call to action

• Talk to a telemedicine engineer — book a 30-minute scoping call to talk through your business associate agreement plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the BAA Vendor Checklist — One page: the business-associate classification test, the ten required BAA clauses of 45 CFR 164.504(e)(2), the five contract checks, and a vendor-by-vendor audit worksheet.

References

1. 45 CFR §164.502(e) — disclosures to business associates; satisfactory assurances; subcontractor requirement. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502 (Tier 1)
2. 45 CFR §164.504(e) — business associate contracts: required provisions (e)(2), pattern-of-activity duty (e)(1)(ii)–(iii), management-and-administration carve-out (e)(4), subcontractor mirror (e)(5). Read in full 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504 (Tier 1)
3. 45 CFR §164.314(a) — Security Rule organizational requirements for BAAs covering ePHI. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.314 (Tier 1)
4. 45 CFR §164.410 — business associate breach notification to the covered entity (60-day outer limit). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410 (Tier 1)
5. 45 CFR §160.103 — definitions: business associate (create/receive/maintain/transmit), covered entity, subcontractor. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103 (Tier 1)
6. HHS OCR — Business Associate Contracts: Sample Business Associate Agreement Provisions. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (Tier 2)
7. HHS OCR — Guidance on HIPAA & Cloud Computing: no-view services and encrypted ePHI without the key still create business-associate status; conduit FAQ. https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html (Tier 2)
8. Omnibus Final Rule, 78 FR 5566 (January 25, 2013) — direct liability of business associates; subcontractor BAAs; conduit-exception discussion in the preamble. https://www.federalregister.gov/documents/2013/01/25/2013-01073/ (Tier 1)
9. HIPAA statute §1179 (42 U.S.C. §1320d-8) — financial institutions' payment-processing exemption. https://www.govinfo.gov/link/uscode/42/1320d-8 (Tier 1)
10. HHS OCR enforcement — Raleigh Orthopaedic Clinic, P.A. of North Carolina resolution agreement (April 2016): $750,000; PHI of ~17,300 patients released to a vendor without a BAA. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html (Tier 2)
11. HHS OCR enforcement — Center for Children's Digestive Health (April 2017): $31,000; no signed BAA with records-storage vendor FileFax. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html (Tier 2)
12. HHS OCR enforcement — North Memorial Health Care of Minnesota (March 2016): $1,550,000; findings included no BAA with a major contractor. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html (Tier 2)
13. HHS OCR enforcement — Advanced Care Hospitalists PL (December 2018): $500,000; billing vendor with no BAA and no risk analysis. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ach/index.html (Tier 2)
14. HHS OCR — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, NPRM, 90 FR 898 (January 6, 2025): proposed annual SME-verified BA verification (prop. §164.308(b)); 24-hour contingency-activation notice; BAA re-papering transition. Proposed, not final, as of 2026-06-11. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information (Tier 1)
15. 42 CFR Part 2 — confidentiality of substance-use-disorder records; qualified service organization definition (§2.11). https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2 (Tier 1)
16. HHS — Annual Civil Monetary Penalties Inflation Adjustment (effective January 28, 2026): $145–$73,011 per violation; $2,190,294 annual cap per provision. https://www.federalregister.gov/documents/2026/01/28/2026-01688/annual-civil-monetary-penalties-inflation-adjustment (Tier 1)
17. HHS OCR — Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (bulletin; scope trimmed for unauthenticated pages by AHA v. HHS, N.D. Tex., June 20, 2024) — tracking vendors as business associates; Google does not sign a BAA for Google Analytics. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (Tier 2)

Where vendor marketing disagreed with the rule text — most often by presenting "encrypted" or "HIPAA-compliant" badges as removing the need for a signed, scoped BAA, or by calling persistent-storage services "conduits" — this article follows the controlling sources: the CFR text, the Omnibus preamble, and HHS OCR guidance.