Skip to main content
PHIGuard logo PHIGuard logo

BAA Requirements for Clinic Software: What Physician Owners Must Know

Last updated: March 31, 2026

TLDR

Any software vendor that creates, receives, maintains, or transmits protected health information on your behalf is a business associate and requires a signed BAA. This includes your EHR, email provider, cloud storage, task management software, billing service, and IT support. Missing a BAA is one of the most common compliance failures found in OCR investigations.

The Scope of the BAA Requirement

The BAA requirement is broader than most physician clinic owners initially realize. It doesn’t just cover your EHR — it covers every vendor whose services your practice uses in connection with protected health information.

The test is straightforward: does this vendor create, receive, maintain, or transmit PHI as part of performing services for your practice? If yes, they’re a business associate. A business associate without a signed BAA is a compliance violation.

Here’s where physician practices routinely have BAA gaps:

Email: If patient communications go through Gmail or Outlook, those vendors are business associates. Google and Microsoft both offer BAAs on their business tiers. Standard consumer accounts are not covered.

Cloud storage: If your practice stores scanned records, lab results, or patient documents in Google Drive, Dropbox, or OneDrive, those vendors need BAAs. Major cloud providers offer BAAs; consumer versions don’t.

Task management software: If your staff assigns tasks that reference patient names, procedures, or appointments, the task management tool is a business associate. Asana, Monday.com, and most general-purpose tools only offer BAAs on enterprise tiers.

Billing services: Any billing company with access to patient claims data is a business associate.

IT support: If your IT vendor can remotely access systems that contain PHI, they’re a business associate and need a signed BAA.

Building Your BAA Inventory

The practical step is building an inventory. List every software tool and service vendor your practice uses. For each one, answer three questions:

  1. Does PHI ever enter or pass through this system?
  2. Have we signed a BAA with this vendor?
  3. When does the agreement expire or renew?

This inventory is also an OCR audit document. Investigators reviewing a HIPAA complaint often ask for a list of business associates and their BAA status. An organized, current inventory demonstrates a functioning compliance program.

What a Good BAA Includes

A BAA is not simply a vendor’s statement that they take security seriously. It’s a legal contract with specific provisions required by the HIPAA Privacy and Security Rules.

A properly structured BAA should include: the purposes for which the vendor may use PHI, a prohibition on using PHI except as permitted, a commitment to maintain appropriate safeguards, an obligation to report security incidents, provisions for returning or destroying PHI at contract end, and requirements to impose similar obligations on any subcontractors.

A BAA that is unusually brief, doesn’t specify incident reporting obligations, or excludes large categories of PHI handling from its scope may leave gaps. If you’re reviewing a vendor BAA that seems thin, ask your HIPAA attorney or compliance consultant to review it before signing.

When a Vendor Won’t Sign a BAA

Some vendors genuinely cannot or will not sign BAAs. This is a hard stop. If a vendor refuses to sign a BAA, you cannot use that tool for PHI-related workflows. Period.

This isn’t negotiable — it’s a statutory requirement. The most common versions of this problem involve consumer-grade tools: WhatsApp, personal text messaging, consumer Dropbox, standard social messaging platforms. None offer BAAs. If staff are using these for patient communication or document sharing, that practice needs to stop immediately.

PHIGuard’s compliance dashboard includes a BAA inventory tracker specifically because this is one of the most common compliance gaps in small physician practices. Knowing where your BAA coverage ends tells you where your compliance exposure begins.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Business Associate
A person or entity that performs functions or services on behalf of a covered entity that involve the use or disclosure of protected health information. Examples include EHR vendors, billing services, IT support with system access, task management software, and cloud storage providers.

DEFINITION

Business Associate Agreement (BAA)
A written contract required by HIPAA between a covered entity and a business associate. The BAA specifies permitted uses of PHI, safeguard requirements, incident reporting obligations, and how PHI is handled at contract termination.

DEFINITION

Covered Entity
Under HIPAA, a health care provider that transmits any health information electronically in connection with HIPAA-covered transactions. Physician practices are covered entities.

DEFINITION

Protected Health Information (PHI)
Individually identifiable health information created, received, maintained, or transmitted by a covered entity. Includes patient names combined with health status, care, or payment information.

Q&A

Which software tools in a physician clinic require a BAA?

Any tool that creates, receives, maintains, or transmits PHI on your behalf requires a BAA: EHR systems, email providers (if used for patient communications), cloud storage (if used for medical records), task management software (if tasks reference patients), billing services, scheduling tools, telehealth platforms, and IT support vendors with remote system access.

Q&A

Do task management tools like Asana or Slack require a BAA for physician clinic use?

Yes, if your staff uses them for tasks involving PHI. Asana requires Enterprise+ ($45/user/month) for a BAA. Slack requires Enterprise Grid for a BAA. Without these plans, using either tool for PHI-related tasks is a HIPAA violation. PHIGuard and Dock Health include BAAs at accessible pricing tiers.

Want to learn more?

Learn More
Does task management software require a BAA?
Yes, if your staff uses it for tasks that reference or involve PHI. If task assignments include patient names, appointment details, procedure references, or any other PHI, the task management vendor is a business associate and requires a signed BAA. Popular tools like Asana, Monday.com, and Slack only offer BAAs on enterprise tiers. PHIGuard and Dock Health include BAAs at accessible pricing.
Does Google Gmail require a BAA for physician practices?
Yes, if you use Gmail for communications involving PHI. Google offers a BAA for Workspace (Business and Enterprise plans) through their admin console. Standard consumer Gmail accounts cannot be covered by a Google BAA. A physician practice using Gmail for any PHI-related communication must have a Google Workspace account with the BAA signed.
What happens if I use software without a signed BAA?
Using a vendor's service with PHI without a signed BAA is a HIPAA violation — regardless of the vendor's technical security measures. This applies even if no breach or unauthorized disclosure occurs. The missing BAA itself is the violation. Penalties can apply even for technical violations without actual harm.
Can I use a vendor that refuses to sign a BAA?
Not for any workflow involving PHI. If a vendor refuses to sign a BAA, you cannot use that tool for PHI-related tasks. This is a hard stop. Some consumer-grade tools (WhatsApp, standard iMessage, consumer Dropbox) do not offer BAAs. If your staff is using these for PHI, that needs to be addressed immediately.
Does the BAA cover all features of a vendor's product?
Usually not entirely. BAAs from major vendors often specify which services are covered. Google's BAA covers specific Workspace services (Gmail, Drive, Docs, Calendar, Meet) but not all Google products. Asana's BAA only covers Enterprise+ tier accounts, not lower tiers. Review what services are included in each vendor's BAA.

Keep reading

HIPAA Compliance Program Checklist for Physician-Owned Clinics (2026)

A practical HIPAA compliance program checklist for physician clinic owners. Covers the Security and Privacy Rule requirements you're personally liable for — without the consultant jargon.

HIPAA Audit Preparation for Small Physician Practices: What OCR Looks For

What does an OCR audit or complaint investigation actually involve for a small physician practice? A practical guide to audit readiness — the documentation OCR requests, the most common gaps found, and how to prepare before you receive a complaint.

Best Clinic Workflow Tools That Include a BAA (2026)

A BAA is not optional when clinic workflows touch PHI. We list the workflow and task management tools that include BAAs by default — without forcing you to buy an enterprise tier.

Asana Alternative for HIPAA-Compliant Clinic Task Management

Physician-owned clinics need more than a BAA bolt-on. PHIGuard replaces Asana Enterprise+ for small practices at $20/month flat, with compliance built in, not locked behind a $45/user enterprise tier.

How to Choose HIPAA-Compliant Task Management Software for Your Clinic

A physician clinic owner's guide to evaluating HIPAA task management tools. Covers what actually matters: BAA terms, feature restrictions, pricing models, and whether you need compliance features included.