Business Associate Agreements (BAAs) for Therapists — Complete Guide
What a BAA is, who you need one with, what it must contain, and what to do if a vendor refuses to sign one.
What Is a Business Associate Agreement?
A Business Associate Agreement (BAA) is a legally required contract under HIPAA between a covered entity (you, the therapist) and any vendor or contractor — called a Business Associate — who handles Protected Health Information (PHI) on your behalf. The BAA defines how the vendor is permitted to use your clients' data, their security obligations, and what happens in the event of a breach. Without a BAA, any PHI you share with a vendor is technically an unauthorized disclosure under HIPAA.
Who Needs a BAA with a Therapist?
Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and requires a BAA. This includes: your EHR or practice management software (SimplePractice, TherapyNotes, Jane App, etc.), your email provider if you use it for client communication (not Gmail or standard Outlook — those providers will not sign BAAs), your telehealth platform (Doxy.me, Zoom for Healthcare, etc.), your billing service or medical billing company, your cloud storage provider if you store PHI there, your IT support vendor if they could access PHI during maintenance, your transcription service if you use AI note-taking tools, and your accountant or attorney only if they access PHI (most do not). General services like phone companies, postal services, and payment processors that transmit encrypted data but do not access PHI content are typically NOT Business Associates.
What Must a BAA Contain?
A valid HIPAA BAA must include: a description of permitted and required uses and disclosures of PHI by the Business Associate, a requirement that the BA not use or disclose PHI other than as permitted, a requirement that the BA implement appropriate safeguards (including the HIPAA Security Rule for electronic PHI), an obligation to report breaches and security incidents to you, a provision requiring the BA to ensure any subcontractors also comply with HIPAA, and a provision for returning or destroying PHI at the end of the relationship. Many vendors provide their own BAA templates — you do not need to write one from scratch. However, you should review the BAA before signing to ensure it covers these elements.
What If a Vendor Refuses to Sign a BAA?
If a vendor that handles PHI refuses to sign a BAA, you cannot legally use them for anything involving your clients' protected health information. This is a firm rule under HIPAA — there is no exception for small vendors or free services. Your options are: (1) find an alternative vendor who will sign a BAA, (2) use the vendor only for non-PHI tasks (if technically possible), or (3) stop using the vendor entirely. Common examples: Gmail will not sign a BAA for standard accounts — you must switch to Google Workspace with the BAA option enabled, or use a HIPAA-specific email service like Hushmail for Healthcare. Standard Zoom will sign a BAA for Zoom for Healthcare subscribers — but the standard free account does not qualify.
How Long Do You Need to Keep BAAs?
You must retain BAAs for 6 years from the date of their creation or the date they were last in effect, whichever is later. This means if you stop using a vendor today, you need to keep the BAA for 6 more years. When an OCR audit occurs, one of the first things auditors request is copies of all BAAs — past and present. Store them somewhere you can actually find them: a folder in your secure cloud storage, your EHR's document vault, or a simple locked filing cabinet.
Trusted by 225,000+ Therapists — Recommended for Therapist in
Get Your Practice 100% HIPAA Compliant in 2026
SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.
Start Free Trial with SimplePractice →30-day free trial · No credit card required
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Frequently Asked Questions
Does SimplePractice include a signed BAA?
Yes. SimplePractice provides a BAA as part of their service agreement for all paid subscribers. You do not need to separately request or negotiate a BAA — it is included when you sign up. This is one reason SimplePractice is widely recommended for therapists: it removes one of the most common HIPAA compliance gaps.
My previous EHR had a BAA. Do I need a new one when I switch?
Yes. A BAA is vendor-specific. When you switch to a new EHR or any other vendor, you need a new BAA with the new vendor. You should also ensure the old vendor has returned or destroyed your PHI per the terms of your original BAA.
Can I use a BAA template from the internet?
Yes — the Department of Health and Human Services (HHS) publishes a model BAA on their website that is compliant with the HIPAA Rules. Many vendors also provide their own BAAs. You do not need a custom-drafted BAA unless you have specific contractual needs that standard templates do not address.
What is the fine for not having a BAA?
Operating without a BAA when one is required is a HIPAA violation. Fines under the 2026 tiered structure range from $100 to $50,000 per violation, with annual maximums up to $1.9 million per violation category. The 'per violation' standard means each client record shared without a BAA could be counted separately.