What a Business Associate Agreement covers, when HIPAA requires one, and what it costs a practice to skip it.
Get started for freeSchedule a demo →A Business Associate Agreement (BAA) is a contract HIPAA requires between a healthcare organization and any vendor that handles protected health information on its behalf. HIPAA calls the organization the covered entity and the vendor the business associate. The BAA makes the vendor legally responsible for safeguarding PHI. Without a signed BAA, sharing patient information with a vendor is a HIPAA violation, even if no breach ever happens. BloomText includes a signed BAA on every plan, including the free plan.
HIPAA sets national rules for how patient information can be used and shared. A Business Associate Agreement is the contract that extends those rules to your vendors. It spells out what a vendor can do with protected health information (PHI), how the vendor must protect it, and what the vendor must do if something goes wrong.
The agreement is not a formality. The HIPAA Privacy Rule requires it, and the U.S. Department of Health and Human Services publishes sample BAA provisions so both sides know what the contract must contain.
At minimum, a BAA must describe the permitted uses of PHI and require safeguards against misuse. It must also require the vendor to report breaches to you and to return or destroy PHI when the relationship ends.
A covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically. Your practice, clinic, or agency is almost certainly a covered entity. HHS publishes the full definition of covered entities if you want to confirm your status.
A business associate is any person or company that creates, receives, maintains, or transmits PHI on a covered entity's behalf. Billing services, cloud storage providers, transcription services, and texting platforms all qualify. HHS explains the role in its business associates guidance.
The roles chain downward. If your texting vendor runs on a cloud host, that host becomes a subcontractor business associate and needs its own BAA with the vendor. You sign one agreement, and the vendor is responsible for the chain below it.
You need a signed BAA before any PHI touches a vendor's systems. PHI is broader than charts and diagnoses. A patient's name and phone number tied to an appointment already qualify. See What is PHI? for the full definition.
Texting is the everyday case. The moment a staff member messages a patient about care through a platform, that platform is handling PHI. If the vendor will not sign a BAA, the tool is not an option for patient communication, no matter how secure it claims to be.
Some familiar tools won't sign one at all. WhatsApp won't. iMessage won't. Phone carriers won't sign one for standard SMS either. That is why ordinary texting cannot be made compliant by policy alone.
Regulators treat a missing BAA as a violation on its own. The Center for Children's Digestive Health paid $31,000 to settle with the HHS Office for Civil Rights after it could not produce a signed BAA with its records storage vendor.
Advanced Care Hospitalists, a Florida physician group, paid $500,000 after sharing PHI with a billing vendor without a BAA.
In both cases the penalty did not depend on hackers or stolen data. The missing contract was the violation. An audit, a patient complaint, or a vendor's own breach can surface the gap at any time.
BloomText includes a signed Business Associate Agreement on every plan, including the free plan. You do not pay extra for it, and you do not negotiate for it. It is part of signing up.
That matters because many platforms gate the BAA behind a paid tier. Google Voice, for example, only offers a BAA through paid Google Workspace plans. Checking the BAA first saves you from discovering the gap after staff already text patients.
The BAA covers messages and files sent through BloomText. Encryption in transit and at rest, access controls, and audit logs back up the contract with the safeguards HIPAA expects.
Last verified July 8, 2026.