Compliance & security
BAA (Business Associate Agreement)
Contract that makes a vendor legally responsible for HIPAA-protected data they touch.
A BAA is the contract between a covered entity (your practice) and a business associate (the vendor) that legally binds the vendor to HIPAA's safeguards. Without a signed BAA, sending PHI to a vendor is itself a HIPAA violation, regardless of how secure the vendor is.
Always ask: *Will you sign a BAA and can I see it before purchase?* If the answer is no, the vendor is not a serious US healthcare option.
See also
- HIPAA โ US federal law protecting health information; the minimum compliance bar for US deployments.
- PHI / ePHI โ Protected (electronic) Health Information โ the data HIPAA covers.