The full definition
A Business Associate Agreement is the contract HIPAA requires when a healthcare provider shares PHI with a third party. The BAA obligates the business associate to implement HIPAA's required safeguards, report any breach within 60 days, allow the covered entity to audit compliance, and return or destroy PHI at the end of the relationship. Any vendor handling PHI — CRM, EHR, billing, telephony, hosting, email, file storage — needs a BAA in place.
Why it matters in practice
The biggest HIPAA risk for practices isn't a sophisticated cyberattack — it's casual use of consumer tools that don't sign BAAs. Texting patients from a personal phone, emailing them from Gmail without a BAA, storing files on consumer Dropbox, using HubSpot's standard tier — all create exposure.
Real-world examples
- Signing a BAA with your CRM vendor before they handle any patient communication
- Signing a BAA with your cloud hosting provider before storing any PHI
- Signing a BAA with a telehealth video vendor
Inside Velant
Velant offers BAA on request — covering CRM, EHR, telephony, telehealth, billing, and all other PHI-touching workflows.
Related terms
- HIPAA-Compliant CRMA customer relationship management system designed to handle Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996.
- PHI (Protected Health Information)Any individually identifiable health information held or transmitted by a covered entity or business associate — including name, DOB, address linked to a health condition, treatment, or payment.
- TCPA (Telephone Consumer Protection Act)A 1991 federal law restricting commercial telemarketing calls, automated text messages, and prerecorded voice messages — heavily enforced through class-action lawsuits.