The Short Version
A BAA — Business Associate Agreement — is a legal contract between your healthcare practice and any outside vendor that handles protected health information (PHI) on your behalf. It is required by HIPAA. Not recommended. Not optional. Required.
If you are using an AI assistant, a scheduling tool, a cloud storage provider, or any software that touches patient data, and there is no BAA in place, your practice is exposed. Exposed legally, financially, and reputationally.
This post breaks down what a BAA actually covers, why it matters when choosing an AI vendor, and what red flags to watch for.
What HIPAA Actually Requires
HIPAA — the Health Insurance Portability and Accountability Act — is federal law. It establishes rules for how patient health information is stored, transmitted, and accessed. The two main components relevant to vendors are:
The Privacy Rule. This governs who can see and use patient information and under what circumstances.
The Security Rule. This requires specific administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
Under HIPAA, a "covered entity" is the healthcare provider — your clinic, your practice, your hospital. A "business associate" is any third party that performs functions or activities involving PHI on behalf of the covered entity.
If you hire a company to build an AI assistant that collects patient names, appointment details, insurance information, or any health-related data through conversations, that company is a business associate. Full stop.
The BAA is the legal document that formalizes that relationship and spells out exactly what the business associate is required to do to protect that data.
What a BAA Covers
A properly written BAA addresses several key areas:
Permitted uses and disclosures. The agreement defines exactly how the business associate can use PHI. They can use it to perform the services you hired them for — and nothing else. They cannot sell it, share it with unrelated third parties, or use it for their own marketing.
Safeguards. The business associate must implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. This includes encryption, access controls, secure storage, and network security measures.
Breach notification. If a data breach occurs — meaning PHI is accessed, used, or disclosed in a way that is not permitted — the business associate is required to notify your practice. The BAA specifies the timeline and method for this notification. Under HIPAA, this notification must happen without unreasonable delay and no later than 60 days after discovery of the breach.
Subcontractors. If your AI vendor uses subcontractors (for example, a cloud hosting provider or a third-party API), the BAA requires them to ensure those subcontractors also comply with HIPAA. The chain of responsibility does not break just because the work is outsourced.
Return or destruction of data. When the contract ends, the BAA addresses what happens to the PHI. The business associate must return it or destroy it, depending on what is feasible and what the agreement specifies.
Individual rights. The BAA must support your obligations to patients under HIPAA, including the right to access their own records and request amendments.
Why This Matters for AI Vendors Specifically
AI introduces some unique risks that make BAAs even more critical than they might be with a traditional software vendor.
Conversation data. An AI assistant that talks to patients collects PHI through those conversations. The patient might share their name, symptoms, medications, insurance details, or appointment preferences. All of that is PHI.
Model training. Some AI companies use the data from customer interactions to train and improve their models. If patient conversations are being fed into a general training dataset, that is a HIPAA violation unless the data is properly de-identified — which is extremely difficult to do with conversation data. A compliant AI vendor will not use your patient conversations for model training. Period.
Data storage and retention. Where are conversation logs stored? For how long? Who has access? These are not abstract questions. Your BAA should address all of them, and your AI vendor should have clear, documented answers.
Third-party integrations. If the AI connects to your calendar, your EHR, or your payment system, each of those connections is a potential point of exposure. A responsible vendor documents these integrations and ensures each one is secured and covered under the BAA chain.
Red Flags When Evaluating an AI Vendor
Here is what should concern you when you are shopping for an AI assistant for your practice:
They cannot provide a BAA. This is the biggest and most obvious red flag. If a vendor says they do not offer BAAs or that their product "does not need one," walk away. If their tool touches PHI in any form — and if it talks to patients, it does — a BAA is required by law.
They have no clear data handling policy. Ask them: Where is data stored? Is it encrypted at rest and in transit? Who has access? How long is it retained? If the answers are vague or nonexistent, that tells you what you need to know.
They train their AI on customer data. Ask directly: "Is any data from my patients' conversations used to train or fine-tune your AI models?" If the answer is yes, or if they hedge, that is a problem.
They use consumer-grade infrastructure. HIPAA-compliant hosting requires specific configurations. If your AI vendor is running on a basic shared hosting plan or a consumer cloud account without HIPAA-eligible settings, the infrastructure itself is a violation.
No audit logging. HIPAA requires that access to PHI be logged and auditable. If the vendor cannot show you an audit trail of who accessed what and when, they are not meeting the standard.
No breach notification process. Ask them: "If there is a data breach, how will I be notified and within what timeline?" If they do not have a documented incident response plan, they are not ready to handle PHI.
What Compliance Looks Like Done Right
A HIPAA-compliant AI assistant is not just a chatbot with a privacy policy page. It is a system built from the ground up with these principles:
Encryption everywhere. Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). No exceptions.
Signed BAA before any PHI is processed. The agreement is in place before the system goes live. Not after. Not "in progress."
Zero training on patient data. Conversations are used exclusively to provide the service. They are not recycled into model training datasets.
Role-based access control. Only authorized personnel at your practice can view conversation logs and patient data. The vendor's team does not have open access to your patients' information.
Audit logs. Every access event, every data query, every conversation is logged with timestamps and user identification.
Documented incident response. A clear, written plan for what happens when something goes wrong — because preparedness is what separates compliant organizations from exposed ones.
The Bottom Line
A BAA is not paperwork for the sake of paperwork. It is the legal foundation that protects your patients, your practice, and your license. Without one, you are trusting a vendor to do the right thing with no legal obligation to actually do it.
When you are evaluating AI vendors for your clinic, the BAA question should come first — before pricing, before features, before the demo. If they cannot provide one, nothing else matters.
We built our AI assistant with HIPAA compliance as the starting point, not an afterthought. Every practice we work with gets a signed BAA before we process a single patient interaction.
See how our system works or book a call to talk through compliance requirements specific to your practice.