What Is a Business Associate Agreement (BAA)? HIPAA Explained
TLDR
A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity (your practice) and any vendor who handles protected health information on its behalf. Without a signed BAA, using a third-party tool — email, task management, cloud storage, scheduling — with patient data is a HIPAA violation, regardless of how secure that tool claims to be.
What a BAA Actually Is
A business associate agreement is a contract. When your practice works with a vendor that handles patient information, HIPAA requires you to put that relationship in writing. The BAA specifies what the vendor can do with protected health information, what security measures they must maintain, how they will notify you if a breach occurs, and what happens when the agreement ends, including how PHI must be returned or destroyed.
The requirement comes from 45 CFR § 164.308, which requires covered entities to obtain satisfactory assurances from business associates before sharing PHI. Without that written assurance, the relationship is a violation.
A BAA does not validate a vendor’s security. A vendor can have strong encryption and pass their own audits while still being unusable for PHI because they won’t sign one. A signed BAA also doesn’t mean the vendor is actually secure. It creates legal accountability and gives you documentation for audits. You need both: the signed contract and genuine technical controls from the vendor.
Who Needs a BAA
Any vendor that creates, receives, maintains, or transmits PHI on behalf of your practice is a business associate and requires a BAA:
- Electronic health record (EHR) systems
- Task management and care coordination software
- Email providers (when used for patient communication or staff tasks involving PHI)
- Cloud storage (Google Drive, Dropbox, OneDrive, when practice files include PHI)
- Appointment scheduling tools
- Medical billing and revenue cycle companies
- IT support firms and managed service providers
- Transcription services
- Answering services and virtual receptionist services
- Data backup and disaster recovery providers
- Fax services (when transmitting PHI)
The HHS Office for Civil Rights publishes guidance on business associate relationships at hhs.gov. Their read is broad: if a vendor touches PHI to provide services to your practice, they’re a business associate.
The Tools Most Practices Use Without a BAA
Most administrators already know their EHR has a BAA. The gap is in the secondary tools, software that filled operational needs without anyone checking compliance status.
Trello does not offer a BAA at any pricing tier. If your practice uses Trello to track patient-related tasks, that is a compliance exposure. Standard Gmail and Yahoo Mail are not BAA-eligible. Slack on any plan below Enterprise Grid (custom pricing, 250+ users minimum) does not provide a BAA. Asana requires Enterprise+ and Monday.com requires their Enterprise tier before they will sign one.
This is not an oversight. Each of those vendors decided that BAA administration belongs in their enterprise tier, where they can charge accordingly and set seat minimums most small practices cannot reach.
What BAA Failures Actually Cost
The Office for Civil Rights publishes its settlement and civil monetary penalty cases at hhs.gov/ocr. Several are tied to missing BAAs:
- A medical center paid $1.5 million after a breach investigation found missing BAAs with multiple vendors.
- A small specialty clinic paid $100,000 after OCR found a vendor relationship with no BAA. No breach had occurred. The missing contract was the violation.
- A physician practice paid $750,000 following a breach tied partly to a business associate without an executed BAA.
Fines scale with organizational size, number of individuals affected, and whether the violation was willful. OCR’s published cases include providers with two or three physicians. Small practices are not exempt.
If your practice has five vendors without BAAs and gets audited, that is five separate violations, even when no patient data was ever compromised.
BAA Availability by Common Tool
| Tool | BAA Available | Minimum Tier |
|---|---|---|
| Google Workspace | Yes | Business Starter ($6/user/mo) |
| Microsoft 365 | Yes | Business Basic ($6/user/mo) |
| Zoom | Yes | Business Plus ($20.83/user/mo) |
| Slack | Yes | Enterprise Grid (custom, 250+ users) |
| Asana | Yes | Enterprise+ (~$45/user/mo) |
| Monday.com | Yes | Enterprise (custom) |
| Notion | Yes | Enterprise (custom) |
| ClickUp | Yes | Business Plus ($12/user/mo) |
| Trello | No | Not available at any tier |
| PHIGuard | Yes | Practice ($20/mo flat) |
Verify current tier requirements directly with each vendor before purchasing. BAA availability changes when vendors restructure their product tiers.
How to Get BAAs from Common Tools
Google Workspace and Microsoft 365 handle BAA execution through self-service admin portals. Google’s BAA is in the admin console under Account Settings. Microsoft uses the Service Trust Portal.
For tools that gate BAAs behind paid tiers (Zoom, ClickUp), you need to be on the qualifying plan before the BAA option appears. If the process isn’t documented clearly, contact the vendor’s compliance or legal team directly.
Slack, Asana, Monday.com, and Notion all restrict BAAs to enterprise tiers. Getting one means going through their sales process: a demo call, a custom quote, and a multi-seat minimum. The BAA is part of a negotiated contract, not a self-service toggle.
Trello offers no BAA at any tier. It cannot be used with PHI.
Store every executed BAA in a dedicated compliance folder. HIPAA requires six-year retention. Review each BAA when the underlying vendor contract changes.
PHIGuard’s Approach
We built PHIGuard after seeing practices pay $450/month or more for HIPAA-compliant versions of general-purpose task tools, or run on non-compliant tools because the compliant tier was priced for enterprise accounts they could never justify.
PHIGuard includes a signed BAA at every pricing tier: Practice ($20/month for up to 10 staff), Clinic ($49/month for up to 25 staff), and Health System ($99/month for unlimited staff). There is no enterprise negotiation, no seat minimum to qualify, and no features stripped out to make compliance work.
The BAA is in the terms of service from signup. You don’t have to ask for it.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Business Associate Agreement (BAA)
- A HIPAA-required contract between a covered entity and a business associate specifying how protected health information will be handled, protected, and disclosed.
DEFINITION
- Covered Entity
- A healthcare provider, health plan, or healthcare clearinghouse that must comply with HIPAA. Medical practices, dental offices, mental health providers, and physical therapists are covered entities.
DEFINITION
- Business Associate
- A vendor or third party that handles protected health information on behalf of a covered entity. BAAs are required for all business associates.
DEFINITION
- Protected Health Information (PHI)
- Any individually identifiable health information created, received, maintained, or transmitted by a covered entity — including patient names, diagnoses, treatment details, appointment dates, and billing information.
DEFINITION
Q&A
What is a Business Associate Agreement (BAA)?
A BAA is a HIPAA-required contract between a medical practice and any vendor that handles protected health information. It specifies how the vendor will protect PHI, what security measures they maintain, and how they will respond to breaches.
Q&A
Which software tools require a BAA for HIPAA compliance?
Any tool that stores or transmits protected health information requires a BAA: EHR systems, task management software, email providers, cloud storage, scheduling tools, billing systems, messaging platforms, and IT support services.
Q&A
What happens to a medical practice without a BAA?
Using a vendor without a BAA to handle PHI is a HIPAA violation. Fines range from $100 to $50,000 per violation. The Office for Civil Rights has fined practices of all sizes for BAA failures, including small practices with only one or two providers.
Q&A
How do I get a BAA from a software vendor?
Contact the vendor directly or find their BAA request process in their compliance or legal documentation. Large vendors (Google, Microsoft) have streamlined BAA processes. Some vendors (like PHIGuard) include a BAA automatically at every pricing tier.
Want to learn more?
What is a Business Associate Agreement (BAA)?
Who counts as a business associate?
What happens if you don't have a BAA?
Do tools like Asana, Slack, or Google Workspace come with a BAA?
Does PHIGuard include a BAA?
Keep reading
HIPAA Compliance Checklist for Small Medical Practices
A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
Best Asana HIPAA Alternative for Medical Practices
Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.
Is Zoom HIPAA Compliant? What Medical Practices Need to Know
Zoom is HIPAA compliant only with a Business Plus or Enterprise plan and a signed BAA — free and Pro plans cannot be used with PHI. Video calls are one piece; task follow-up is another.