Skip to main content
Nona Clinical IT
← Resources

What a BAA Actually Covers (and What It Doesn't)

Every IT vendor that touches your patient data should sign a Business Associate Agreement. Most practices know that much. What surprises them is how many vendors quietly don't — and how little protection a signed BAA gives you if you never read what's inside it.

The one-sentence version

A BAA is a contract that makes your vendor legally responsible for protecting the patient data you let them touch. No BAA means you carry their mistakes. With one, they carry their own — and HHS can come after them directly.

What a real BAA covers

  • Permitted uses. Exactly what the vendor may do with PHI — and nothing else. An IT company managing your Microsoft 365 may need to access mailboxes during a migration; it does not need to mine them.
  • Safeguards. The vendor commits to the HIPAA Security Rule's administrative, physical, and technical safeguards. Vague "we take security seriously" language is not a safeguard.
  • Breach notification. How fast the vendor must tell you when something goes wrong. Look for a number of days, not "promptly." Federal rules give you 60 days to notify patients — your clock starts ticking while their lawyer drafts a letter.
  • Subcontractors. If your vendor hands data to their vendor, that subcontractor needs the same obligations. This is where chains quietly break.
  • Return or destruction. When the relationship ends, your data comes back or gets verifiably destroyed. Vendors that vanish with backups are a real problem we've cleaned up after.

What a BAA does NOT cover

  • It doesn't make a sloppy vendor competent. A BAA shifts liability; it doesn't configure MFA, encrypt laptops, or stop a phishing email. Compliance paper plus insecure systems is the worst combination — you'll pass a vendor checklist and still end up on the HHS breach portal.
  • It doesn't cover tools that refuse to sign. Free Gmail, personal Dropbox, most consumer AI tools — no BAA, no PHI. If staff are pasting patient information into tools your IT vendor never blessed, the BAA on file doesn't help.
  • It doesn't apply retroactively. Data shared before signing isn't protected by the agreement.

Three questions to ask your current IT provider

  1. "Can you send me the BAA we have on file?" — If the answer takes more than a day, you may not have one.
  2. "Which of the tools you manage for us are covered by their own BAAs?" — Microsoft 365 has one (if it was set up properly). Does your backup vendor? Your email-security layer?
  3. "When were our safeguards last reviewed against the Security Rule?" — A date and a document is the right answer.

Where Nona Clinical IT stands

We sign a BAA by default, before work begins — it's the gate, not the afterthought. Every tool in our managed stack either carries its own BAA chain or doesn't touch PHI, full stop. If you'd like a second set of eyes on the agreements you already have, that's a 30-minute conversation: contact us.

Want a second set of eyes on how your practice handles this?

Schedule a discovery call