Nurse Practitioners

HIPAA Business Associate Agreement for Nurse Practitioners

Q: Does an independent nurse practitioner need HIPAA BAAs?

Yes. An independent nurse practitioner operating their own practice is a HIPAA covered entity — a healthcare provider who transmits health information electronically in connection with covered transactions. They must execute Business Associate Agreements with every vendor that creates, receives, maintains, or transmits protected health information on their behalf, including their EHR, billing company, telehealth platform, and IT support provider, under 45 CFR § 164.504(e).

Q: Does an employed NP need their own BAAs?

Generally no. An NP employed by a hospital, physician group, or health system is a workforce member of that covered entity, not a separate covered entity themselves. The employer's BAAs with vendors cover the NP's activities. If an employed NP uses personal equipment (a personal laptop or phone) to access practice systems, the employer's security policies and BAAs still govern the covered entity's PHI, though the NP must follow those policies.

Q: What telehealth platforms sign BAAs for NPs?

Several telehealth platforms provide BAAs for independent healthcare providers including NPs: Doxy.me (free plan includes BAA for healthcare providers), Zoom for Healthcare (requires Healthcare plan with BAA), Teladoc Health provider tools, and SimplePractice telehealth (BAA included for healthcare subscribers). Standard Zoom accounts, FaceTime, and Skype do not include BAAs and should not be used for HIPAA-regulated telehealth.

Q: Do independent NPs need a BAA for e-prescribing?

Yes. E-prescribing platforms transmit patient prescription information electronically — this is PHI. Surescripts, the dominant e-prescribing network, operates under agreements that cover BAA-like obligations. If your EHR vendor's contract includes e-prescribing through Surescripts, the BAA with your EHR vendor typically covers this integration. However, standalone e-prescribing services require explicit BAAs.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ Independent NPs operating their own practices are HIPAA covered entities with full BAA obligations
✓ Employed NPs are covered by their employer's BAAs — no separate BAA obligations
✓ Telehealth platforms (Doxy.me, Zoom for Healthcare) must have signed BAAs before patient visits
✓ EHR, billing, and patient communication vendors all require BAAs for independent NP practices

Direct answer: Independent nurse practitioners operating their own practice are HIPAA covered entities and must sign Business Associate Agreements with every vendor that handles patient PHI — EHR, billing company, telehealth platform, e-prescribing service, and IT support. NPs employed by hospitals or physician groups are covered by their employer's BAAs and do not need separate agreements.

The independent NP practice model has grown significantly as nurse practitioners achieve full practice authority in more states. With this independence comes full HIPAA covered entity status — and the obligation to manage BAAs with every vendor that handles patient data. This page focuses on independent NP practices; if you are an employed NP, your employer's compliance program covers your activities.

Independent NP vs. Employed NP: Who Needs BAAs?

Independent Nurse Practitioners

An NP who owns or operates their own practice — whether sole proprietor, LLC, professional corporation, or similar structure — is a covered entity under HIPAA if they transmit health information electronically in connection with covered transactions (insurance claims). They must execute BAAs with every vendor handling patient PHI as part of their practice operations. Practice size does not matter — a solo NP has the same obligations as a multi-provider group.

Employed Nurse Practitioners

An NP employed by a hospital, health system, physician group, or other covered entity is a member of that entity's workforce, not a separate covered entity. Their activities are governed by the employer's HIPAA policies and the employer's BAAs with vendors. Employed NPs do not need to obtain their own BAAs for the employer's systems. However, if an employed NP uses personal devices or personal software accounts to handle patient data outside the employer's sanctioned systems, those activities may not be covered by employer BAAs and create separate compliance risks.

Vendors Independent NP Practices Typically Need BAAs With

EHR and Practice Management Software

Independent NPs often use smaller or specialized EHR platforms. SimplePractice (popular for mental health and primary care NPs), Athenahealth, DrChrono, and Practice Fusion are commonly used by small independent practices. All major EHR platforms provide BAAs. Request the BAA as part of your onboarding and retain executed copies for at least six years per HIPAA's documentation requirements.

Telehealth Platforms

Many independent NPs provide telehealth services. The platform you use must have a signed BAA in place before any patient visits:

Doxy.me: Offers a BAA for healthcare providers on all plans, including the free tier — making it a popular choice for independent NPs just starting telehealth.
Zoom for Healthcare: Requires the Healthcare plan with a signed BAA. Standard Zoom accounts do not qualify.
Teladoc Health: Enterprise-oriented; check BAA availability for independent providers.

Standard consumer video tools (FaceTime, regular Zoom, Skype, Google Meet) do not include BAA provisions and should not be used for telehealth with HIPAA-regulated patients. See our guide on when a HIPAA BAA is required for context.

E-Prescribing (Surescripts)

E-prescribing transmits prescription information containing patient names, medications, diagnoses, and prescriber details — all PHI. Most EHR platforms include Surescripts integration, and the EHR's BAA typically covers this integration. If you use a standalone e-prescribing service separate from your EHR, that service requires a distinct BAA.

Medical Billing Services

Outside billing companies that process your insurance claims handle patient names, diagnosis codes, CPT codes, and insurance information — all PHI. A BAA is required before you share the first claim with any billing service. Many independent NPs use billing services that specialize in small practices; confirm that your billing company has a signed BAA in your file before starting service.

Patient Communication Platforms

SMS or email platforms used to send appointment reminders, care instructions, or secure messages that link a patient identity to your practice are handling PHI. Spruce Health, Klara, and similar platforms designed for healthcare communication provide BAAs. Generic email (standard Gmail, Outlook without business-tier agreements) should not be used for PHI communication without a BAA.

IT Support

Any IT provider with remote access to your systems is a business associate under HIPAA. Even if you work with a small local IT person who helps with your laptop or router, their potential access to systems containing patient records triggers the BAA requirement under 45 CFR § 164.504(e). See our checklist on whether your vendor signs BAAs.

Vendor Type	Example Vendors	BAA Required?
EHR / practice management	SimplePractice, Athenahealth, DrChrono	Yes
Telehealth platform	Doxy.me, Zoom for Healthcare	Yes
E-prescribing	Surescripts (via EHR), DrFirst	Yes (typically via EHR BAA)
Medical billing	Outsourced NP billing companies	Yes
Patient communication	Spruce Health, Klara, Luma Health	Yes
IT support	Local or remote IT provider	Yes
Cloud backup / storage	Microsoft 365, Google Workspace Business	Yes

Generate a BAA for your nurse practitioner practice

Preview the full BAA structure free, or pay $49 one-time to get a clean, signable PDF and editable Word file with your actual practice and vendor information. No subscription required.

Generate BAA for Free →

Frequently Asked Questions

Does an independent nurse practitioner need HIPAA BAAs?

Yes. An independent NP operating their own practice is a HIPAA covered entity and must execute BAAs with every vendor that handles patient PHI. This includes EHR, billing services, telehealth platforms, e-prescribing services, patient communication tools, and IT support. Practice size does not create any exemption under 45 CFR § 164.504(e).

Does an employed NP need their own BAAs?

Generally no. An employed NP is a workforce member of the covered entity employer. The employer's BAAs with vendors cover the NP's work activities. The exception: if an employed NP uses personal, unsanctioned software or devices to handle patient data outside employer-approved systems, those activities are not covered by the employer's BAAs and create compliance risks.

What telehealth platforms sign BAAs for NPs?

Doxy.me includes a BAA for healthcare providers at all plan tiers, including free. Zoom for Healthcare (not standard Zoom) provides a BAA on its Healthcare plan. SimplePractice and other EHR-integrated telehealth tools also provide BAAs. Standard consumer video tools do not qualify for HIPAA telehealth.

Do independent NPs need a BAA for e-prescribing?

Yes. E-prescribing transmits PHI. Most EHR platforms integrate Surescripts and the EHR vendor's BAA covers this integration. If you use a standalone e-prescribing service, that service requires its own BAA. Confirm coverage with your EHR vendor before assuming the integration is covered.