Log In 
A Business Associate Agreement is one of the more misunderstood requirements in healthcare compliance. Healthcare operators encounter the term when evaluating software vendors, and they’re often told they need one without a clear explanation of what it is, what it requires, or what it means when a vendor won’t sign one.
This post is educational, not legal advice. For specific guidance about your organization’s HIPAA obligations, consult a qualified healthcare attorney or compliance officer.
What a BAA Is
A Business Associate Agreement is a contract between a HIPAA covered entity and a business associate. Under HIPAA, a business associate is any organization that handles protected health information on behalf of a covered entity in the course of providing services to that covered entity.
Software vendors that store, process, or transmit PHI on behalf of a healthcare organization are business associates. That includes EHR vendors, practice management platforms, patient portal providers, cloud storage services used for patient records, and any third-party platform your organization uses to handle patient health information.
Without a signed BAA, the covered entity is not permitted to share PHI with the vendor.
Who Is Required to Have BAAs
Any covered entity that uses a third-party service to handle PHI needs a BAA with that service. Business associates that use subcontractors to handle PHI also need BAAs with those subcontractors. The chain of HIPAA accountability flows through subcontracting relationships.
What It Means When a Vendor Won’t Sign a BAA
When a software vendor says they don’t offer a BAA, they’re telling you they’re not structured to accept the HIPAA compliance obligations that come with handling PHI. This doesn’t mean their security is inadequate. It means they haven’t made the legal, operational, and liability commitments HIPAA requires of business associates.
Using a platform that won’t sign a BAA for operations involving PHI is a HIPAA violation, regardless of the vendor’s security practices.
This is a common issue with consumer scheduling tools, general-purpose no-code platforms, and AI app builders. Many of them have solid security. Almost none are structured to sign BAAs, because doing so creates regulatory exposure they haven’t been built to manage.
What to Look For When Evaluating Vendors
The BAA question should come before the feature evaluation. If the vendor can’t sign a BAA, the feature discussion is irrelevant for PHI-handling use cases.
When reviewing a BAA, check: the scope of permitted uses of PHI, breach notification timelines, subcontractor requirements, data return or destruction obligations at contract termination, and the vendor’s ability to support HIPAA audits.
Knack Health signs BAAs for covered entities and business associates on HIPAA plans. HIPAA plans include encrypted data at rest and in transit, role-based access controls, record change logs, and SOC 2 Type II documentation.
See Knack Health HIPAA plan details. →
Knack Health signs BAAs. Full stop.Knack Health provides HIPAA-ready hosting, a signed Business Associate Agreement, encrypted data, role-based access, and record change logs — on every HIPAA plan. Starting at $625/month, flat-rate. |
|
|
3 Easy Ways to Start Building For Free
1. Generate an App with AI
2. Use one of our templates
3. Import your own data
Free 14-Day Trial. No Credit Card Required
Frequently Asked Questions
Does a BAA mean the vendor is HIPAA-certified?
No. HIPAA does not have a certification program. A vendor that signs a BAA is making a legal commitment to comply with HIPAA’s requirements for business associates. Knack Health provides SOC 2 Type II documentation and details of its HIPAA compliance program on request.
What happens if we’re using a platform without a BAA?
Operating without a required BAA is a HIPAA violation. If you discover you’re using a non-BAA platform for PHI, migrate to a compliant platform as quickly as operationally possible and document your remediation steps. Knack Health’s team can help you scope a migration.
Talk to Knack Health about migrating your application. →
Does every software tool we use need a BAA?
Only vendors that handle PHI in the course of providing their services to you need a BAA. A tool that your staff uses but that doesn’t touch patient data doesn’t require one. The trigger is whether PHI enters the vendor’s platform or infrastructure.
Can we get a BAA for a consumer tool by asking?
Some vendors offer BAAs only on higher-tier plans. Others won’t offer them at any price level because they’re not structured to take on the associated obligations. The only way to know is to ask. If you need a BAA and the vendor can’t provide one, the answer is to use a different vendor.
