Nursing Homes & Skilled Nursing Facilities

HIPAA Business Associate Agreement for Nursing Homes

Q: Are nursing homes required to execute HIPAA BAAs?

Yes. Nursing homes and skilled nursing facilities (SNFs) are healthcare providers and HIPAA covered entities. They must execute Business Associate Agreements with every vendor that creates, receives, maintains, or transmits protected health information on their behalf under 45 CFR § 164.504(e). This includes long-term care EHR vendors, pharmacy vendors, therapy management systems, and family communication platforms.

Q: What technology vendors in long-term care require BAAs?

Nursing homes typically need BAAs with: long-term care EHR platforms (PointClickCare, MatrixCare, American HealthTech), pharmacy vendors that provide medication administration records and dispensing, therapy management systems for PT/OT/SLP services, dietitian and nutrition software, activity management systems, electronic wander management systems, family communication portals, billing and RCM companies, and IT support providers.

Q: Do nursing home activity programs require HIPAA BAAs?

It depends. If activity programming staff use a software platform to document resident participation, preferences, or behavioral observations that are linked to resident identities, that documentation constitutes PHI and the software vendor requires a BAA. Activity management platforms that store resident names alongside clinical notes or participation records in ways that could reveal health status require BAAs.

Q: Do family communication portals for nursing homes require BAAs?

Yes. Family communication portals that share care updates, medication information, or clinical status with authorized family members handle PHI as part of their service. The portal vendor is a business associate and requires a BAA. Nursing homes should also ensure that family members accessing the portal are properly authorized under HIPAA's personal representative rules before sharing clinical information.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ Nursing homes and SNFs are HIPAA covered entities with BAA obligations across a broad vendor ecosystem
✓ Long-term care EHR platforms (PointClickCare, MatrixCare) and pharmacy vendors require BAAs
✓ Family communication portals that share clinical updates are business associates requiring BAAs
✓ Activity management and wander management software require BAAs when they link to resident identities

Direct answer: Yes — nursing homes and skilled nursing facilities are HIPAA covered entities. The long-term care vendor ecosystem is unusually broad: clinical systems, pharmacy services, therapy platforms, activity software, and family communication tools all touch resident PHI and require BAAs under 45 CFR § 164.504(e).

Nursing homes and skilled nursing facilities operate one of the most complex vendor ecosystems in healthcare. Unlike an outpatient practice that primarily needs an EHR and a billing company, a SNF may use separate systems for clinical documentation, pharmacy management, therapy services (PT/OT/SLP), nutrition and dietary planning, activity programming, wander management, family communication, and financial billing — each representing a distinct vendor relationship that may require a BAA.

Why Nursing Homes Are Covered Entities

Nursing homes and SNFs are healthcare providers under HIPAA. Those that transmit health information electronically in connection with Medicare or Medicaid claims are covered entities subject to the full HIPAA Privacy and Security Rules.

This includes:

Medicare-certified skilled nursing facilities
Medicaid-certified nursing facilities
Continuing care retirement communities (CCRCs) with skilled nursing components
Assisted living facilities that provide skilled nursing care
Long-term acute care hospitals (LTACHs)

Vendors Nursing Homes Typically Need BAAs With

Long-Term Care EHR Platforms

PointClickCare, MatrixCare, and American HealthTech (part of Netsmart) are the three most widely deployed long-term care EHR platforms in the SNF market. These systems hold resident clinical records, care plans, MDS assessment data, and billing information. All provide BAAs — confirm that signed agreements are on file and review them for adequate scope when modules like pharmacy, therapy, or family portals are separately licensed.

Pharmacy Vendors

Long-term care pharmacies that supply medications and maintain medication administration records (MAR) for residents are business associates. The dispensing pharmacy and any software platform used to manage eMAR (electronic medication administration record) functionality requires a BAA. Long-term care pharmacy networks like PharMerica, Omnicare (CVS Health), and Guardian Pharmacy all operate under BAA frameworks.

Therapy Management Systems

SNFs providing skilled therapy services (PT, OT, SLP) often use separate therapy management software — or contract with therapy staffing companies that use their own platforms. Therapy management vendors (including those integrated into PointClickCare or MatrixCare) and contracted therapy staffing companies that access resident clinical records require BAAs.

Dietitian and Nutrition Software

Nutrition assessment, meal planning, and dietary management platforms that link resident dietary needs to clinical records (allergies, swallowing assessments, weight tracking) are handling PHI. If your dietary department uses a standalone nutrition software platform, verify whether that vendor has a signed BAA in place.

Activity Management Software

Activity management platforms used to document resident participation, preferences, and behavioral engagement may contain PHI if they store resident names alongside clinical observations or link to care plan goals. Platforms like Linked Senior or LifeLoop, when used to document clinical activity data, require BAAs. See our guide on when a HIPAA BAA is required for the decision framework.

Electronic Wander Management Systems

Wander management and security systems (RFID or GPS-based) that track resident locations and generate alerts link resident identities to location and behavioral data — PHI when associated with a resident's care record. Vendors of wander management systems require BAAs when their systems integrate with resident records.

Family Communication Portals

Family engagement platforms that share care updates, daily notes, or clinical status with authorized family members handle PHI. These portals are business associates and require BAAs. Nursing homes should also review their authorization practices for family access — not all family members are automatically authorized to receive clinical PHI under HIPAA's personal representative rules.

Billing, RCM, and Insurance Companies

Billing companies and revenue cycle management vendors that process Medicare, Medicaid, and commercial insurance claims handle resident PHI and require BAAs. Review our checklist on whether your vendor signs BAAs before engaging any new billing vendor.

Vendor Type	Example Vendors	BAA Required?
LTC EHR	PointClickCare, MatrixCare, American HealthTech	Yes
LTC pharmacy / eMAR	PharMerica, Omnicare, Guardian Pharmacy	Yes
Therapy management	Net Health, Casamba, therapy staffing companies	Yes
Nutrition / dietary	Dietary management software vendors	Yes (if PHI linked)
Activity management	Linked Senior, LifeLoop	Yes (if clinical data)
Wander management	Stanley Healthcare, CenTrak	Yes (if integrated with records)
Family communication portal	PointClickCare family portal, Caregility	Yes
Billing / RCM	Outsourced billing companies	Yes

Generate a BAA for your nursing home

Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.

Generate BAA for Free →

Frequently Asked Questions

Are nursing homes required to execute HIPAA BAAs?

Yes. Nursing homes and SNFs are healthcare providers and HIPAA covered entities. They must execute BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf under 45 CFR § 164.504(e). The long-term care vendor ecosystem is broad, so nursing homes should conduct regular audits to ensure no vendor relationships have been overlooked.

What technology vendors in long-term care require BAAs?

LTC EHR platforms (PointClickCare, MatrixCare, American HealthTech), pharmacy vendors, therapy management systems, dietary software (when linked to clinical records), activity management platforms, wander management systems, family communication portals, billing companies, and IT support providers all require BAAs.

Do nursing home activity programs require HIPAA BAAs?

Yes, when the activity management software stores clinical documentation linked to resident identities. Activity platforms that document participation alongside behavioral observations, clinical goals, or care plan elements handle PHI and require BAAs with the platform vendor.

Do family communication portals for nursing homes require BAAs?

Yes. Family portals that share care updates or clinical information with authorized family members handle PHI and the portal vendor is a business associate requiring a BAA. Ensure family members accessing the portal are properly authorized under HIPAA's personal representative provisions.