BAA vs HIPAA:
Know the Difference
One is a federal law. The other is a contract. Confusing them is how healthcare startups get fined before they launch.
HIPAA = the law
BAA = the contract
Both are required
VertiComply · verticomply.com · April 2026 · 10 min read
If you are building a healthcare application, you have seen both terms a hundred times. HIPAA. BAA. They appear in the same conversations, the same compliance checklists, the same vendor onboarding forms. And most founders treat them as interchangeable. They are not. Understanding the difference between HIPAA and a BAA is one of those things that seems trivial until it costs you a six-figure fine.
The Quick Answer
HIPAA is a federal law. It sets rules for how protected health information must be handled in the United States. It applies to covered entities — hospitals, clinics, insurance companies — and their business associates.
A BAA (Business Associate Agreement) is a legal contract required by HIPAA. When a covered entity shares PHI with a third-party vendor, they must sign a BAA first. The BAA defines what the vendor can do with the data and what safeguards they must maintain.
Put simply: HIPAA is the rulebook. A BAA is the signed agreement that says “I will follow the rulebook.”
HIPAA tells you what must be protected. A BAA tells a specific vendor that they are now legally obligated to protect it. One without the other leaves you exposed.
What HIPAA Actually Is
HIPAA — the Health Insurance Portability and Accountability Act — became law in 1996. For software developers and startup founders, three parts matter:
The Privacy Rule
Governs how PHI can be used and disclosed. Gives patients rights over their health data, including the right to access it and request corrections. Limits who can see what and under which circumstances.
The Security Rule
Requires administrative, physical, and technical safeguards for electronic PHI (ePHI). This is the rule that mandates encryption, access controls, audit logging, and the full technical checklist developers need to follow. Since the January 2025 update, encryption and MFA are mandatory with no exceptions.
The Breach Notification Rule
If unsecured PHI is compromised, you must notify affected individuals within 60 days and report to HHS. Breaches affecting 500+ people get posted on the HHS “Wall of Shame” publicly.
HIPAA applies to two categories of organizations:
Covered Entities — healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses
Business Associates — any person or organization that performs functions involving PHI on behalf of a covered entity
If your healthcare app handles PHI on behalf of a clinic, hospital, or insurance company, you are a business associate. HIPAA applies to you directly — not just through the BAA.
What a BAA Actually Is
A Business Associate Agreement is a written contract between a covered entity and a business associate. HIPAA requires it. You cannot legally share PHI with a vendor without one.
A BAA must include:
What PHI the business associate can access and how they can use it
A requirement to implement appropriate safeguards (encryption, access controls, audit logging)
A requirement to report security incidents and breaches to the covered entity
A requirement that the business associate will not use or disclose PHI beyond what the contract permits
A requirement to return or destroy PHI when the contract ends
Authorization for HHS to audit the business associate's compliance
HHS publishes sample BAA provisions that most organizations use as a starting point. But a BAA is not a template you sign and forget. It is a living document that should be reviewed annually and updated whenever the scope of services changes.
Common Misconception
A signed BAA does not make a vendor HIPAA compliant. It creates a legal obligation for them to be compliant. If they sign a BAA but never implement encryption or audit logging, both parties are at risk — the vendor for failing to comply, and the covered entity for not verifying compliance.
BAA vs HIPAA: Side-by-Side Comparison
| Aspect | HIPAA | BAA |
|---|---|---|
| What is it? | Federal law (1996) | Legal contract between two parties |
| Who created it? | US Congress | The covered entity and business associate together |
| Who does it apply to? | Covered entities + business associates | A specific vendor relationship |
| Is it optional? | No — it is the law | No — required by HIPAA when PHI is shared |
| What does it cover? | All PHI handling rules, patient rights, security standards | Specific terms for one vendor's access to PHI |
| Enforcement | HHS Office for Civil Rights (OCR) | Contract law + HIPAA enforcement |
| Penalty for non-compliance | Up to $1.9M per violation category per year | Contract termination + HIPAA penalties |
| Can you be compliant without it? | N/A — it is the law itself | No — missing BAA = automatic HIPAA violation |
Who Actually Needs a BAA?
This is where most startups get it wrong. The list of vendors that need a BAA is longer than people expect. If any third party can potentially access PHI — even if they never look at it — they need a BAA.
Vendors that definitely need a BAA
Cloud providers — AWS, Google Cloud, Azure (all offer BAAs for HIPAA-eligible services)
SaaS platforms — any software where PHI is stored or processed
Email services — if you send PHI via email (appointment reminders, lab results)
Billing and claims processors — they handle insurance data, diagnosis codes, treatment records
Analytics and monitoring tools — if they can access logs containing PHI
Customer support platforms — Intercom, Zendesk, etc. if patients contact you through them
SMS/notification services — Twilio, SendGrid if messages contain PHI
AI/LLM providers — any AI API that processes patient data needs a BAA (this is new in 2025-2026)
Vendors that do NOT need a BAA
Not every vendor requires one. The test is whether they have access to PHI:
Janitorial services (unless they access PHI storage areas)
General IT hardware suppliers (shipping laptops, not accessing data)
Payment processors handling credit card data only (PCI, not HIPAA)
Public-facing marketing tools that never touch patient data
The AI Vendor Trap
In 2026, every other healthcare startup is integrating AI features — chatbots, diagnostic support, clinical note generation. If the AI provider processes any patient data, even anonymized data that could be re-identified, you need a BAA. Most general-purpose AI APIs (OpenAI, Anthropic, Google) do not sign BAAs for their standard tiers. Use their HIPAA-eligible offerings or a platform that handles this at the infrastructure level.
What Happens If You Skip the BAA?
Operating without a required BAA is a HIPAA violation. Not a theoretical risk — an actual violation, even if no breach ever occurs. HHS has made this clear repeatedly through enforcement actions.
| Violation Tier | Penalty per Violation | Annual Maximum |
|---|---|---|
| Tier 1 — Did not know | $100 – $50,000 | $25,000 |
| Tier 2 — Reasonable cause | $1,000 – $50,000 | $100,000 |
| Tier 3 — Willful neglect (corrected) | $10,000 – $50,000 | $250,000 |
| Tier 4 — Willful neglect (not corrected) | $50,000 | $1,900,000 |
The covered entity — not the vendor — bears the penalty for failing to have a BAA in place. That means your client (the hospital, the clinic) gets fined because you did not sign a BAA. And once that happens, they terminate the contract and you lose the customer.
Since HIPAA enforcement began, HHS has collected over $137 million in penalties. Missing BAAs are among the most common findings in compliance audits — and one of the easiest to prevent.
Real Enforcement Examples
These are not hypothetical scenarios. They are actual HHS enforcement actions:
$1.55M
North Memorial Health Care
Failed to have a BAA with a business associate that had access to ePHI of 289,904 individuals.
$750K
Raleigh Orthopaedic Clinic
Gave a vendor access to PHI for a compliance assessment without a BAA in place.
$400K
Care New England
Used a vendor for document storage without executing a BAA first.
Notice the pattern: none of these were data breaches. They were missing paperwork. A signed BAA would have prevented every one of these penalties.
BAA Checklist: What to Include
If you are drafting or reviewing a BAA, make sure it covers these elements. This is based on HHS guidance and what actually matters for healthcare startups:
Permitted uses and disclosures of PHI — be specific, not open-ended
Obligation to implement HIPAA Security Rule safeguards
Requirement to report breaches and security incidents with timeline (typically 30 days)
Prohibition on unauthorized use or disclosure
Requirement to ensure subcontractors sign BAAs (downstream BAAs)
Obligation to make PHI available for patient access requests
Requirement to return or destroy PHI on contract termination
Permission for HHS audit of business associate practices
Term and termination provisions — what happens if the BA violates the agreement
Subcontractor Trap
If your vendor uses sub-processors (and they almost certainly do — AWS for hosting, Twilio for SMS, etc.), each sub-processor with PHI access also needs a BAA. Your BAA should require the vendor to manage these downstream agreements. If they cannot show you their sub-processor BAA chain, that is a compliance gap.
What This Means If You Are Building a Healthcare App
If you are building a healthcare application — whether a patient portal, an EHR system, a telehealth platform, or a clinical trial tool — you are almost certainly a business associate. Here is what that means practically:
You need to sign BAAs with your clients
Every hospital, clinic, or health plan that uses your software will require a BAA before they send you any patient data. Have a BAA template ready before your first sales call. Enterprise prospects will ask for it in the first meeting.
You need BAAs with your vendors
Your cloud provider, your database host, your email service, your analytics tool — if any of them touch PHI, you need a BAA with them. This is where platforms like VertiComply help: the compliance infrastructure is built in, so you are not chasing BAAs with a dozen individual vendors.
You need to actually implement the safeguards
A BAA is a legal promise that you will protect PHI. If you sign one but your app stores passwords in plain text and has no audit logging, the BAA makes things worse — you have now contractually committed to something you are not doing. Build compliance into your architecture from day one. Automated compliance scoring can verify your code actually implements what the BAA promises.
Frequently Asked Questions
What is the difference between HIPAA and a BAA?
HIPAA is a federal law that sets privacy and security rules for health information. A BAA is a legal contract required by HIPAA when a covered entity shares PHI with a third-party vendor. HIPAA is the law; a BAA is one of the mechanisms for complying with it.
Who needs a BAA?
Any third party that creates, receives, maintains, or transmits PHI on behalf of a covered entity needs a signed BAA. This includes cloud providers, SaaS platforms, email services, analytics tools, and billing companies.
What happens if you operate without a BAA?
Operating without a required BAA is a HIPAA violation even if no breach occurs. Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.9 million per violation category.
Does a BAA make a vendor HIPAA compliant?
No. A BAA creates a legal obligation. The vendor must still implement actual safeguards — encryption, access controls, audit logging, breach notification. A signed BAA without real security provides no protection.
Do I need a BAA with my cloud provider?
Yes. AWS, Google Cloud, and Azure all offer BAAs for their HIPAA-eligible services. You must sign the BAA and properly configure the services before storing PHI.
How often should a BAA be reviewed?
At minimum annually, and whenever the scope of services changes, regulations are updated, or the business relationship evolves. Stale BAAs that do not reflect current data flows are a compliance risk.
Can I use a template BAA?
HHS publishes sample provisions that work as a starting point. However, each BAA should be tailored to the specific vendor relationship, data flows, and services involved. A generic template may miss critical terms.
Continue Reading
HIPAA Compliance Checklist for Healthcare App Developers (2026)
HIPAA for Startups: What Actually Matters in 2026
How to Build a HIPAA-Compliant Healthcare App Without Code
How to Build a Compliant Healthcare App in 2026
Compliance Standards We Support — HIPAA, GDPR, SOC 2, HITRUST
Explore VertiComply Features — Built-in Compliance and Security
Build HIPAA compliant from day one — BAA-ready out of the box
VertiComply generates healthcare app code with encryption, audit logging, access controls, and compliance documentation built in. Your BAA commitments are backed by real safeguards, not promises.
No compliance consultants. No six-month timelines. No missing BAAs.
In This Guide
01
The quick answer
02
What HIPAA actually is
03
What a BAA actually is
04
Side-by-side comparison
05
Who needs a BAA
06
What happens without one
07
Real enforcement examples
08
BAA checklist
09
For app builders
10
FAQ
Key Numbers
HIPAA penalties collected
$137M+
Max annual penalty per category
$1.9M
Largest BAA-related fine
$1.55M
Breach notification deadline
60 days
Topics
Related Articles
Continue reading about healthcare compliance and development
How to Build a HIPAA-Compliant Healthcare App Without Code in 2026
The complete 2026 guide to building HIPAA-compliant healthcare apps without code. Covers compliance rules, no-code platforms, what to look for, real costs, common mistakes, and a step-by-step practical sequence for US healthcare startups.
Read article
HIPAA for Startups: What Actually Matters in 2026
A no-fluff guide to HIPAA compliance for healthcare startups. Learn what actually matters, what you can skip for now, and how to build compliant from day one without breaking the bank.
Read article
How to Build a Compliant Healthcare App in 2026
Step-by-step guide to building healthcare apps that meet HIPAA, GDPR, SOC 2 and HITRUST compliance. Covers the 5 essential pillars and AI automation.
Read article