Yundra
← All articlesTools & Vendors

HIPAA Business Associate Agreements: What Therapists Need to Know in 2026

11 min read

If you use any technology in your therapy practice — an EHR, email, telehealth, cloud storage, billing software — you almost certainly need Business Associate Agreements with some or all of those vendors. Yet BAAs are one of the most commonly overlooked aspects of HIPAA compliance for solo therapists.

This guide explains what BAAs are, which of your vendors need one, what to look for (and what to avoid), and how to get your BAA situation sorted in an afternoon.

What Is a Business Associate Agreement?

A Business Associate Agreement is a legally binding contract between you (the covered entity) and any vendor (the business associate) that creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf.

The BAA does three critical things:

  1. Defines the vendor's obligations — they must protect PHI using appropriate safeguards, report breaches, and only use the data for permitted purposes
  2. Limits their liability exposure — and clarifies yours
  3. Creates the legal framework that allows them to handle your patients' data in the first place

Without a signed BAA, a vendor handling your patient data is a HIPAA violation — even if they have perfect security. The agreement itself is required.

Which Vendors Need a BAA?

The rule is simple: if a vendor could potentially access, store, process, or transmit any patient health information, they need a BAA. For a typical solo therapy practice, that includes:

Definitely need a BAA

EHR system (SimplePractice, TherapyNotes, Jane App, etc.) — This is the most obvious one. Your EHR stores everything: notes, diagnoses, treatment plans, contact information, insurance details. Every reputable therapy EHR offers a BAA. If yours doesn't, switch immediately.

Email provider (if used for any patient communication) — This is where most therapists slip up. If you ever send or receive emails containing patient names, appointment confirmations, session reminders, or clinical information, you need a BAA with your email provider. Regular Gmail does not offer BAAs. Google Workspace (paid) does. See our Gmail HIPAA guide for the full breakdown.

Telehealth platform — Doxy.me, Zoom for Healthcare, SimplePractice Telehealth, and other HIPAA-focused platforms all offer BAAs. Regular Zoom, FaceTime, Google Meet, and Skype do not.

Cloud storage and backup — If you store any patient-related files in Dropbox, Google Drive, iCloud, or OneDrive, you need a BAA. Google Drive (via Workspace with BAA) and Dropbox Business both offer BAAs. Personal accounts generally do not.

Billing and clearinghouse — If you use a separate billing service or claims clearinghouse, they handle PHI and need a BAA.

Often forgotten

Answering service — If your answering service takes messages that include patient names or appointment details, they're handling PHI.

Transcription service — If you dictate notes using a service that processes audio containing patient information.

IT support provider — If your IT person has access to your computer, EHR, or network, they could potentially access PHI.

Shredding company — If they handle paper records containing PHI.

Website hosting / form provider — If your website has a contact form that collects patient inquiries mentioning health conditions.

Do NOT need a BAA

Your landlord — unless they have access to your records

Your phone company — the voice transmission itself isn't covered (but your voicemail might be if it contains PHI)

Payment processors — if they only handle financial transactions and never see clinical information (though many billing integrations do)

What Should a BAA Contain?

A proper BAA must include these elements (per 45 CFR § 164.504(e)):

Permitted uses and disclosures. Specifically what the business associate is allowed to do with your patients' data. This should be narrow — only what's needed for the service they provide.

Safeguard requirements. The BA must use appropriate safeguards to prevent unauthorised use or disclosure of PHI. This includes administrative, physical, and technical safeguards.

Breach notification obligations. The BA must report any breach of unsecured PHI to you within a specified timeframe (typically 60 days, though many BAAs specify shorter).

Subcontractor requirements. If the BA uses subcontractors who handle PHI, those subcontractors must also agree to the same protections.

Return or destruction of PHI. When the relationship ends, the BA must return or destroy all PHI they hold (or explain why that's not feasible).

Individual rights support. The BA must make PHI available to you when patients exercise their right to access their records.

HHS audit cooperation. The BA must make their practices and records available to HHS for compliance verification.

Termination provisions. You must be able to terminate the agreement if the BA violates its terms.

Red Flags in BAAs

Not all BAAs are created equal. Watch for these warning signs:

No BAA available at all. If a vendor that handles PHI refuses to sign a BAA or says they don't offer one, stop using them for anything involving patient data. Immediately.

Excessive liability limitations. Some BAAs try to limit the vendor's liability for breaches to trivially small amounts. The BAA should hold them accountable for failures on their end.

Vague breach notification timelines. "We'll notify you promptly" isn't specific enough. Look for a concrete number — 30 days or fewer is reasonable.

No mention of subcontractors. If the vendor uses AWS, Google Cloud, or other infrastructure providers, the BAA should address subcontractor obligations.

One-sided termination clauses. You should be able to terminate if they violate the BAA. If only they can terminate, that's a problem.

"BAA" that's actually just a Terms of Service. Some vendors claim their standard ToS covers HIPAA requirements. It doesn't. A BAA is a specific legal document with specific required provisions.

How to Get BAAs From Your Current Vendors

For most major therapy-focused vendors, getting a BAA is straightforward:

SimplePractice — BAA is part of your account setup. Available in your account settings. Auto-signed when you accept their terms.

TherapyNotes — BAA available during onboarding or in account settings.

Jane App — BAA available in their legal agreements section.

Google Workspace — Must be activated manually. Go to Admin Console → Account → Legal and compliance → BAA. Note: this is only available on paid Workspace plans, not free Gmail.

Microsoft 365 — BAA is available for business and enterprise plans. Review and accept through the admin centre.

Doxy.me — BAA included in their HIPAA compliance documentation for paid plans.

Zoom for Healthcare — BAA available for Healthcare plan subscribers only (not regular Zoom Pro/Business).

Dropbox Business — BAA available for Business and Enterprise plans.

If your vendor isn't listed here, search their help documentation for "BAA" or "Business Associate Agreement." If you can't find it, email their support team directly and ask.

Building Your BAA Tracker

A BAA tracker is simply a document that lists every vendor, their BAA status, and key dates. Here's what to include for each vendor:

| Field | Example | |-------|---------| | Vendor name | SimplePractice | | Service type | EHR | | Handles PHI? | Yes | | BAA signed? | Yes | | Date signed | March 15, 2026 | | Review date | March 15, 2027 | | Contact | support@simplepractice.com | | Notes | Auto-accepted during onboarding |

Go through every piece of technology you use in your practice. For each one, ask: "Could this vendor ever see, store, or transmit patient health information?" If yes, verify you have a signed BAA.

Your Yundra Compliance Pack includes a pre-populated BAA tracker built from your assessment answers — it identifies which vendors need BAAs based on the tools you told us you use.

What If a Vendor Won't Sign a BAA?

You have three options:

  1. Switch to a vendor that will. For every non-compliant vendor, there's a compliant alternative. Regular Gmail → Google Workspace. Regular Zoom → Doxy.me. Personal Dropbox → Dropbox Business.

  2. Stop using them for PHI. If you love a tool but it won't sign a BAA, you can keep using it — just never, ever put patient information in it.

  3. Accept the risk. This is not recommended. Using a vendor without a BAA when one is required is a HIPAA violation. Period.

The Annual BAA Review

Your BAA situation isn't "set and forget." Review annually:

  • Are all BAAs still current?
  • Have you added any new vendors since last review?
  • Have any vendors changed their terms or policies?
  • Have any vendors been involved in a data breach? (Check HHS's breach portal)
  • Are there vendors you've stopped using whose BAAs should be terminated?

Document each review with a date and findings. This demonstrates ongoing compliance — exactly what OCR wants to see.

Getting Your BAAs in Order This Week

Here's a practical action plan:

Monday. List every piece of technology you use in your practice. Every app, every service, every vendor.

Tuesday. For each one, determine: does this vendor handle PHI? Mark yes, no, or maybe.

Wednesday. For every "yes," verify you have a signed BAA. Check your account settings, email archives, or contact the vendor.

Thursday. For any missing BAAs, either sign one (most vendors make this easy) or begin evaluating alternatives.

Friday. Document everything in a BAA tracker. Date it. Save it with your compliance files.

If you want this done automatically, take the free HIPAA assessment — the Compliance Pack includes a vendor tracker pre-populated with your specific tools and their BAA status.

Take the free HIPAA Risk Assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly