Does a Business Associate Agreement Make AI HIPAA Compliant?
Short Answer
No.
A Business Associate Agreement (BAA) may be an important requirement when evaluating an AI vendor, but a BAA alone does not make an AI tool HIPAA compliant.
As therapists begin exploring AI tools, many eventually encounter the same recommendation: make sure the company offers a Business Associate Agreement.
That advice is not wrong. In many situations, a BAA is an important part of the evaluation process. The problem is that the conversation often stops there.
If a company advertises HIPAA compliance, serves healthcare organizations, offers a BAA, and has a large customer base, it is easy to assume the major compliance concerns have already been addressed. Many therapists reasonably assume that a well-established company has invested significant resources into understanding healthcare requirements and that other organizations have already vetted the platform.
In many cases, that may be partially true.
What often gets overlooked is that HIPAA compliance is not determined by the vendor alone. A Business Associate Agreement can establish responsibilities between the company and the practice, but it does not determine how the technology is actually used within the practice.
That distinction becomes especially important when evaluating AI tools.
The agreement matters. The vendor matters. The technology matters.
The larger question is whether the overall use of the technology supports HIPAA compliance.
A BAA helps define responsibilities between the vendor and the practice. It does not determine whether the technology is being used in a HIPAA-compliant manner.
Why Are Therapists Asking About BAAs and AI?
Over the past few years, AI has gone from something most therapists rarely thought about to something that seems to be showing up everywhere.
AI features are being added to electronic health records, documentation platforms, telehealth systems, and products marketed specifically to mental health professionals. At the same time, therapists are hearing more conversations about AI from colleagues, vendors, consultants, professional organizations, social media groups, and continuing education programs.
Depending on who they ask, they may receive very different answers about what is allowed, what is risky, and what HIPAA requires.
In the middle of all that information, many therapists are simply trying to determine whether a particular tool is appropriate for use in their practice.
That is one reason Business Associate Agreements receive so much attention.
Questions about documentation workflows, risk assessments, AI policies, and privacy considerations can become complicated quickly. A Business Associate Agreement feels much more straightforward. A therapist can ask whether a vendor offers one. The company can answer yes or no.
It becomes a visible part of the evaluation process.
The challenge is that AI tools introduce considerations that often extend beyond whether a company is willing to sign a contract.
A Business Associate Agreement remains an important part of the conversation. It is simply one piece of a much larger evaluation process.
What Is a Business Associate Agreement?
Therapists hear the term Business Associate Agreement, often shortened to BAA, all the time when evaluating technology vendors. Before talking about what a BAA does not do, it helps to understand what the agreement is actually designed to do.
A Business Associate Agreement is a contract between a healthcare provider and a vendor that may have access to protected health information as part of the services they provide.
For therapists, BAAs are commonly associated with electronic health records, practice management platforms, telehealth systems, cloud storage providers, billing companies, and other vendors that may handle protected health information on the practice’s behalf.
The purpose of the agreement is to establish certain responsibilities related to the handling and protection of that information. It helps define expectations between the practice and the vendor and outlines how protected health information will be handled within that relationship.
Under HIPAA, Business Associate Agreements are generally required when a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity.
The U.S. Department of Health and Human Services explains in its guidance on Business Associates that Business Associate Agreements help establish responsibilities for vendors that create, receive, maintain, or transmit protected health information on behalf of covered entities.
Because BAAs are discussed so frequently in HIPAA compliance conversations, it is easy to begin viewing them as a measure of whether a company is HIPAA compliant.
That is not really the purpose of the agreement.
A Business Associate Agreement helps establish responsibilities between the vendor and the covered entity. It does not determine whether the technology is being used in a HIPAA-compliant manner within the practice.
That distinction becomes particularly important when AI tools enter the conversation.
Does a BAA Mean a AI Tool Is HIPAA Compliant?
Most therapists are trying to do the right thing and make good decisions with the information they have.
They want to choose tools that support their work while protecting client information and meeting their professional obligations.
The difficulty is that compliance is often discussed as though it is something a vendor can simply provide.
A company can provide a contract. It can provide security features. It can provide tools that support compliant use.
What it cannot do is determine how the technology is ultimately used within an individual practice.
That distinction is reflected in HIPAA itself. The HIPAA Security Rule is built around a broader framework of administrative, physical, and technical safeguards rather than a single document or contract.
The Office for Civil Rights identifies risk analysis as a foundational component of HIPAA compliance in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
A therapist may feel reassured when a vendor offers a BAA, and that reassurance may be completely appropriate.
A signed agreement answers some questions, but not all of them.
Figure 1. A Business Associate Agreement may be an important requirement when evaluating an AI vendor, but HIPAA compliance involves broader operational, administrative, and technical considerations within the practice.
Why This Matters for AI
AI conversations often focus heavily on the technology itself.
People want to know whether a particular platform is compliant, approved, safe, or allowed.
Those questions make sense.
The question that often receives less attention is how the technology will actually be used within the practice.
Two therapists can use the same AI platform, sign the same BAA, and have very different compliance considerations based on how the technology is incorporated into their workflows.
That is one reason compliance questions are often difficult to answer with a simple yes or no.
The software matters.
The agreement matters.
How the technology is used matters too.
Stay Updated on Compliance Changes
Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.
If you want clear, practical updates you can actually use, you can join my email list below.
The Bottom Line
A Business Associate Agreement does not make an AI tool HIPAA compliant.
What it does is establish responsibilities between the vendor and the practice regarding the handling of protected health information.
That is important.
It is just not the entire compliance picture.
A BAA can answer important questions about a vendor relationship, but it does not answer every compliance question a therapist should consider before introducing a new technology into practice.
FAQs
Why do some AI companies offer a BAA while others do not?
Not every company is willing to assume the obligations associated with serving healthcare organizations. Vendors that offer BAAs are typically indicating that they are willing to enter into a contractual relationship that includes HIPAA-related responsibilities.
Is a BAA still important if it does not make a tool HIPAA compliant?
Absolutely.
This article is not suggesting that BAAs are unnecessary. In many situations, obtaining a BAA is an important step when working with a vendor that may handle protected health information.
The issue is not whether the BAA matters.
The issue is assuming the BAA answers every compliance question.
Does having a BAA mean a vendor takes HIPAA seriously?
It can be a positive sign that a vendor is willing to support healthcare organizations and accept certain contractual responsibilities. However, a BAA should be viewed as one factor in an overall evaluation rather than the sole basis for a decision.
Can a vendor offer a BAA and still require additional compliance steps?
Yes.
In fact, that is often the case. A vendor may provide a BAA while the practice remains responsible for various operational, administrative, and technical decisions related to how the technology is used.
Does a BAA guarantee that every feature within an AI platform is covered?
Not necessarily.
Some vendors may offer a Business Associate Agreement for certain products, plans, or services while excluding others. Before relying on any AI platform, therapists should verify which features, integrations, and services are actually covered under the agreement.
Related Articles in This AI + HIPAA Series
Therapists exploring AI documentation often have additional questions that extend beyond progress notes alone.
Related topics include:
- Is AI HIPAA Compliant for Therapists?
- Can Therapist Use ChatGPT for Progress Notes?
- What AI Risks Belong in a HIPAA Security Risk Analysis?
Other Compliance Articles Coming Soon…
- Can Therapists Paste Client Information Into AI Tools?
- What Should an AI Policy Include for a Therapy Practice?
- Can Group Practices Allow Staff to Use AI Documentation Tools?
- Are AI Therapy Note Tools Safer Than Recording Sessions?
- What Happens if AI Stores PHI?
- Can Therapists Use AI for Treatment Plans?
- How Should Therapists Document AI Use in Practice?
Sources
[1] U.S. Department of Health & Human Services (HHS). Business Associates. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
[2] U.S. Department of Health & Human Services (HHS). HIPAA Security Rule Guidance Material. https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
[3] Office for Civil Rights (OCR). Guidance on Risk Analysis Requirements under the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3
Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.
Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.
Continue Exploring Guardian Clinical Essentials™
Looking for additional compliance, privacy, AI, documentation, and practice operations resources?
Explore the Guardian Clinical Essentials™ Resource Library for educational articles, implementation guidance, training opportunities, and practical resources designed specifically for mental health professionals.