What Is a BAA (Business Associate Agreement)?

What a Business Associate Agreement covers, when HIPAA requires one, and what it costs a practice to skip it.

Get started for freeSchedule a demo →

A Business Associate Agreement (BAA) is a contract HIPAA requires between a healthcare organization and any vendor that handles protected health information on its behalf. HIPAA calls the organization the covered entity and the vendor the business associate. The BAA makes the vendor legally responsible for safeguarding PHI. Without a signed BAA, sharing patient information with a vendor is a HIPAA violation, even if no breach ever happens. BloomText includes a signed BAA on every plan, including the free plan.

What a Business Associate Agreement is

HIPAA sets national rules for how patient information can be used and shared. A Business Associate Agreement is the contract that extends those rules to your vendors. It spells out what a vendor can do with protected health information (PHI), how the vendor must protect it, and what the vendor must do if something goes wrong.

The agreement is not a formality. The HIPAA Privacy Rule requires it, and the U.S. Department of Health and Human Services publishes sample BAA provisions so both sides know what the contract must contain.

At minimum, a BAA must describe the permitted uses of PHI and require safeguards against misuse. It must also require the vendor to report breaches to you and to return or destroy PHI when the relationship ends.

Covered entity and business associate: who is who

A covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically. Your practice, clinic, or agency is almost certainly a covered entity. HHS publishes the full definition of covered entities if you want to confirm your status.

A business associate is any person or company that creates, receives, maintains, or transmits PHI on a covered entity's behalf. Billing services, cloud storage providers, transcription services, and texting platforms all qualify. HHS explains the role in its business associates guidance.

The roles chain downward. If your texting vendor runs on a cloud host, that host becomes a subcontractor business associate and needs its own BAA with the vendor. You sign one agreement, and the vendor is responsible for the chain below it.

When you need a BAA

You need a signed BAA before any PHI touches a vendor's systems. PHI is broader than charts and diagnoses. A patient's name and phone number tied to an appointment already qualify. See What is PHI? for the full definition.

Texting is the everyday case. The moment a staff member messages a patient about care through a platform, that platform is handling PHI. If the vendor will not sign a BAA, the tool is not an option for patient communication, no matter how secure it claims to be.

Some familiar tools won't sign one at all. WhatsApp won't. iMessage won't. Phone carriers won't sign one for standard SMS either. That is why ordinary texting cannot be made compliant by policy alone.

What happens without one

Regulators treat a missing BAA as a violation on its own. The Center for Children's Digestive Health paid $31,000 to settle with the HHS Office for Civil Rights after it could not produce a signed BAA with its records storage vendor.

Advanced Care Hospitalists, a Florida physician group, paid $500,000 after sharing PHI with a billing vendor without a BAA.

In both cases the penalty did not depend on hackers or stolen data. The missing contract was the violation. An audit, a patient complaint, or a vendor's own breach can surface the gap at any time.

How BloomText handles the BAA

BloomText includes a signed Business Associate Agreement on every plan, including the free plan. You do not pay extra for it, and you do not negotiate for it. It is part of signing up.

That matters because many platforms gate the BAA behind a paid tier. Google Voice, for example, only offers a BAA through paid Google Workspace plans. Checking the BAA first saves you from discovering the gap after staff already text patients.

The BAA covers messages and files sent through BloomText. Encryption in transit and at rest, access controls, and audit logs back up the contract with the safeguards HIPAA expects.

Get a signed BAA on the free plan

Get started for freeSchedule a demo →

Frequently Asked Questions

What does BAA stand for?
BAA stands for Business Associate Agreement. Some organizations call it a business associate contract. Both names refer to the same HIPAA-required contract between a covered entity and a vendor that handles PHI on its behalf.
Is a BAA required by law?
Yes. The HIPAA Privacy Rule requires a covered entity to have a signed BAA before a business associate creates, receives, maintains, or transmits PHI on its behalf. HHS publishes sample provisions that show what the contract must contain.
Do I need a BAA to text patients?
Yes, when texts contain PHI. A patient's name and phone number tied to an appointment already qualify. Your texting vendor must sign a BAA before staff send the first message. BloomText includes a signed BAA on every plan, including the free plan.
What happens if I use a vendor without a BAA?
Sharing PHI with a vendor that has not signed a BAA is a HIPAA violation even if no breach occurs. Organizations have paid HHS settlements of $31,000 and $500,000 in cases where the central failure was a missing BAA.
Do free plans come with a BAA?
It depends on the vendor. Many platforms reserve the BAA for paid or enterprise tiers, and some consumer tools won't sign one at any price. BloomText signs a BAA on the free plan, so check each vendor before any patient information reaches its systems.
Who signs the BAA?
An authorized representative of your organization, such as the owner, administrator, or compliance officer, and an authorized representative of the vendor. Keep the signed copy where you can produce it during an audit.
Is a BAA the same as a confidentiality agreement?
No. A confidentiality agreement or NDA protects business information between two parties. A BAA implements specific HIPAA obligations for PHI: permitted uses, required safeguards, breach notification, and return or destruction of data when the contract ends.

Sources

Last verified July 8, 2026.

  1. HHS: Sample Business Associate Agreement Provisions
  2. HHS: Covered Entities and Business Associates
  3. HHS: Business Associates Guidance
  4. HHS OCR: Center for Children's Digestive Health Resolution Agreement
  5. HHS OCR: Advanced Care Hospitalists Resolution Agreement