What is HIPAA BAA and Why does it Matter for Healthcare Apps

A developer sent me their healthcare app for a compliance review last year. The app worked well. Encryption was in place. Role-based access was correctly implemented. The code was solid.

Then I asked one question: “Which vendors have you signed Business Associate Agreements with?”

Silence. Then: “What’s a BAA?”

They had spent four months building a HIPAA-compliant architecture and had no BAAs in place with any vendor. Their AWS account, Twilio integration, Stripe Healthcare connection, and analytics platform were all operating on PHI without legal protection. Every API call transmitting patient data was, technically, a HIPAA violation.

No BAA means no compliance. Regardless of your encryption. Regardless of your access controls. Regardless of how good your engineering is. This is not a technicality, it is the foundational legal requirement that makes everything else matter.

What Is a HIPAA BAA?

A HIPAA Business Associate Agreement (BAA) is a legally binding contract required by the Health Insurance Portability and Accountability Act before any third-party vendor can access, process, store, or transmit Protected Health Information (PHI) on behalf of a covered entity or another business associate.

It defines the vendor’s obligations to protect PHI, restricts the purposes for which PHI can be used, requires breach notification procedures, and establishes liability.

Without a signed BAA, a vendor touching PHI, regardless of their security practices creates a direct HIPAA violation with every interaction.

Who Needs a BAA? The Three-Party Structure

HIPAA defines two categories of entities it directly regulates:

Covered Entities: Healthcare providers (physicians, hospitals, clinics), health insurance plans, and healthcare clearinghouses. They are regulated by HIPAA directly.

Business Associates: Any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes software developers, cloud providers, billing companies, analytics vendors, IT support firms, and AI API providers.

If your app handles PHI on behalf of a covered entity, your company is a Business Associate. Every vendor your app uses that touches PHI is also a Business Associate. Every one of them needs a signed BAA.

The chain of liability: Business Associates can have their own Business Associates (called subcontractors). If your app uses AWS to store PHI, and AWS uses a subcontractor that touches that data, the BAA chain must extend to include them. AWS handles this through their BAA terms but you must explicitly request and sign the BAA to activate coverage.

What a BAA Must Contain

HIPAA (45 CFR §164.314) specifies the required elements of a BAA:

1. Permitted uses of PHI: The BAA must specify exactly what the vendor can do with PHI. Using patient data for product training, analytics, or any purpose beyond the contracted service requires explicit authorization or is a violation.
2. Safeguards obligation: The vendor must agree to implement appropriate administrative, physical, and technical safeguards to protect PHI.
3. Subcontractor flow-down: The vendor must ensure all their own subcontractors who touch PHI also have BAAs in place.
4. Breach notification: The vendor must notify you of any breach or security incident involving PHI within 60 days of discovery (or faster per your contract).
5. HHS audit rights: The vendor must allow HHS to access and audit their PHI handling practices.
6. Termination and return/destruction of PHI: At contract end, the vendor must return or destroy all PHI they hold.

A vendor’s “we’re HIPAA compliant” marketing language on their website is not a BAA. A vendor’s security whitepaper is not a BAA. Only an executed legal agreement containing these elements activates BAA coverage.

The Vendor BAA Matrix Every Healthcare App Team Needs

This is what I review on every HIPAA compliance audit. For every vendor in your architecture, the question is: Will they sign a BAA?

• Cloud Infrastructure

AWS: Signs BAAs and offers HIPAA-eligible services. You must explicitly request and sign the AWS BAA through your AWS account. Key HIPAA-eligible services: EC2, S3, RDS, DynamoDB, Lambda, API Gateway, CloudTrail, Cognito, KMS, SES. Services NOT covered under the AWS BAA include some analytics and ML services — verify each service against AWS’s current HIPAA-eligible services list before use.

Microsoft Azure: Signs BAAs through the Microsoft Online Services BAA. Covers Azure Healthcare APIs (FHIR), Azure Active Directory, core compute and storage services, and Azure OpenAI Service. Azure OpenAI being covered under the BAA is the primary pathway for GPT-4 use in HIPAA-compliant healthcare apps.

Google Cloud Platform: Signs BAAs and offers HIPAA-eligible services including Cloud Healthcare API, Compute Engine, Cloud Storage, BigQuery, and others. Verify current HIPAA-eligible services list, it changes.

• Video Infrastructure

Twilio Video: Offers a HIPAA BAA. You must explicitly request the BAA through Twilio’s enterprise process. Standard Twilio consumer accounts do not automatically include BAA coverage.

Daily.co: Offers a healthcare BAA for HIPAA-compliant video applications.

Zoom for Healthcare: HIPAA-eligible with BAA but requires specific sign-up for the Zoom for Healthcare product, not the standard Zoom account. Standard Zoom is explicitly not HIPAA compliant for PHI.

• AI APIs: The Most Common 2026 Trap

OpenAI (standard API): No BAA on consumer or standard API tiers. BAA available through enterprise agreement, contact baa@openai.com. Alternatively, access GPT-4o through Azure OpenAI Service under Azure’s BAA.

Anthropic (standard API): No BAA on standard tier. Enterprise BAA pathway available. For healthcare use, AWS Bedrock or Azure provide BAA-covered access to Claude models.

AWS Bedrock: Covered under AWS’s HIPAA BAA. Provides BAA-covered access to multiple foundation models including Claude and other LLMs.

Cursor, GitHub Copilot, Replit, Bolt: None of these AI coding tools sign BAAs. If developers use real patient data in prompts even for “testing” that is a HIPAA violation. Development environments must use synthetic data only.

• Payments

Stripe Healthcare: Offers a BAA for healthcare-specific payment processing. Standard Stripe accounts do not have BAA coverage, you must specifically request Stripe’s healthcare tier.

• Analytics and Monitoring

Google Analytics: Does not offer a BAA and explicitly states it is not HIPAA compliant for PHI. Do not use Google Analytics on any page that handles patient data.

Datadog: Offers a HIPAA BAA for the Business and Enterprise plans. The standard account does not include BAA coverage.

Segment, Mixpanel, Amplitude: Generally do not offer BAAs. Third-party analytics platforms are a frequent source of inadvertent PHI disclosure form field tracking can capture patient data if event tracking is not carefully controlled.

The Four Most Expensive BAA Mistakes

Mistake 1: Not having a BAA before using the vendor.

This is the mistake that generates the most enforcement risk. The BAA must be in place before PHI is transmitted. Retroactively signing a BAA does not remediate past violations, it only covers future activity.

Mistake 2: Assuming a vendor’s “HIPAA compliant” marketing equals a BAA.

“We’re HIPAA compliant” on a vendor’s website means they believe their security practices meet HIPAA standards. It is not a BAA. Many vendors who market themselves as HIPAA compliant do not offer BAAs or require specific enterprise tiers to obtain one.

Mistake 3: Using a service not on the cloud provider’s HIPAA-eligible services list.

AWS will sign a BAA, but that BAA only covers services explicitly listed as HIPAA-eligible. If your application uses an AWS service not on that list to process PHI even inadvertently, you are operating outside your BAA coverage. The BAA doesn’t mean “all of AWS is covered.” It means “the specific services listed in your BAA addendum are covered.”

Mistake 4: Analytics or session recording capturing PHI.

HHS issued explicit guidance in 2023 on tracking technologies in healthcare apps. Third-party scripts, analytics pixels, session recording tools, A/B testing platforms that capture form inputs can inadvertently transmit PHI to vendors without BAAs. Healthcare organizations have faced enforcement actions and civil lawsuits from this exact scenario. Audit every third-party script on every page that handles patient data.

The BAA Audit Process: What to Do Before Launch

Before any healthcare app goes live on production data:

• Step 1: Vendor inventory. List every third-party vendor in your architecture. Include cloud providers, email services (yes, if your app sends appointment reminders with patient names, your email service touches PHI), video providers, payment processors, analytics platforms, AI APIs, logging services, error monitoring, and customer support tools.
• Step 2: BAA audit. For each vendor: Do they offer a BAA? Is one in place? Is it current? Does your usage fall within the BAA’s covered services?
• Step 3: Replace or restrict non-BAA vendors. Any vendor that touches PHI and will not sign a BAA must be removed from the PHI data path. Either replace them with a BAA-offering alternative, or architect your application to ensure PHI never reaches that vendor.
• Step 4: Activate BAA coverage. For vendors who offer BAAs but require explicit activation, AWS, Azure, Twilio, Stripe Healthcare execute the BAA agreement through the vendor’s process. Self-service BAAs can often be signed in minutes; enterprise BAAs can take weeks.
• Step 5: Document. Maintain a BAA register, a centralized document listing every vendor BAA, the date it was signed, what services it covers, and when renewal or review is required. This is the first document an HHS auditor requests.

What Happens Without a BAA

OCR enforcement reality: The HHS Office for Civil Rights has pursued significant enforcement actions against organizations operating without BAAs. Raleigh Orthopaedic paid $750,000 for disclosing ePHI to a vendor without a signed BAA. The violation was not a data breach — it was simply operating without the contractual protection in place.

HIPAA violation penalties (2026, updated for COLA): $145–$2,190,294 per violation. In cases involving PHI transmitted without a BAA, each API call or data access event can constitute a separate violation. The math of “one violation per API call without BAA” is theoretically catastrophic at scale. You can read more about violation penalties by visiting HIPAA Journal.

The contractual protection BAAs provide: Beyond regulatory compliance, BAAs create legal accountability. If a vendor experiences a breach involving your patients’ PHI, a signed BAA establishes their obligation to notify you, their liability, and your legal remedies. Without a BAA, you have no contractual basis for holding them accountable.

FAQ

• Does my wellness app need BAAs?

Only if your app creates, receives, maintains, or transmits PHI on behalf of a covered entity. A generic fitness app tracking step counts doesn’t require BAAs. The same app integrated with a physician’s practice, sharing data with clinicians, or collecting health information that gets transmitted to a healthcare provider requires BAAs for every vendor in the data path.

• Can I use Google Analytics on my healthcare app?

No, Google Analytics does not offer a BAA and is explicitly not HIPAA compliant for pages handling PHI. Replace with a HIPAA-compliant analytics alternative (Datadog with BAA, or custom event logging within your HIPAA-eligible infrastructure).

• Does signing a BAA with AWS mean all AWS services are covered?

No. AWS’s BAA covers only the services explicitly listed as HIPAA-eligible in AWS’s published list. Verify each service your application uses against that list. Services not on the HIPAA-eligible list cannot be used to process PHI even under an AWS BAA.

• What is the difference between a BAA and a Data Processing Agreement (DPA)?

A BAA is specific to US HIPAA law and applies to covered entities and business associates handling PHI. A DPA (Data Processing Agreement) is the EU GDPR equivalent for data processors handling EU personal data. Healthcare apps serving both US and EU patients may need both.

• How long does a vendor BAA take to execute?

Self-service BAAs (AWS, Azure, some Twilio tiers) can be executed in minutes. Enterprise BAAs requiring negotiation (OpenAI enterprise, some healthcare-specific vendors) typically take 1–4 weeks. Plan for this in your pre-launch timeline, don’t discover a BAA gap the week before launch.

• What happens to my BAAs if I switch vendors?

You must execute new BAAs with replacement vendors before any PHI touches the new vendor’s systems. The old vendor’s BAA termination provisions require them to return or destroy PHI they hold. Document both transitions.