Does a SaaS company need to sign a HIPAA BAA?

Yes — if your SaaS product accesses, stores, processes, or transmits protected health information on behalf of a healthcare covered entity (hospital, clinic, health plan, etc.), your company is a HIPAA business associate. You must sign a Business Associate Agreement with each covered entity customer before they can share PHI with your platform. Refusing to sign a BAA means the healthcare customer legally cannot use your product with PHI.

What makes a SaaS company a HIPAA business associate?

A SaaS company becomes a HIPAA business associate when it: (1) creates, receives, maintains, or transmits PHI on behalf of a covered entity; or (2) provides certain services to a covered entity where the service requires access to PHI. This includes analytics platforms processing patient data, communication tools used for care coordination, billing software handling claims data, and cloud infrastructure storing clinical records.

Can a SaaS startup use its own BAA template?

Yes — SaaS companies can and often should provide their own BAA template to healthcare customers rather than accepting each customer's form. A vendor-drafted BAA can limit your liability, clarify scope, and set reasonable terms for breach notification timelines. The BAA must still include all mandatory provisions under 45 CFR § 164.504(e), but within those requirements there is room to negotiate favorable terms.

Do SaaS subcontractors also need BAAs?

Yes — under HIPAA's subcontractor rules, if your SaaS company is a business associate and you use subcontractors who access PHI (cloud infrastructure providers like AWS/GCP/Azure, database vendors, monitoring tools, etc.), those subcontractors are also business associates and require their own BAAs. Your BAA with the healthcare customer makes you responsible for your subcontractors' compliance.

Healthtech & SaaS

HIPAA Business Associate Agreement for SaaS Companies Selling to Healthcare

By BAA Generator Editorial · Updated Apr 19, 2026 · 6 min read

Need a BAA right now?

Generate my BAA → See pricing →

Key Takeaways

✓ SaaS companies that handle PHI for healthcare customers are HIPAA business associates
✓ You must sign a BAA with each covered entity customer before they share PHI with your platform
✓ Providing your own BAA template is standard practice — and gives you more favorable terms
✓ You need BAAs with your own subcontractors (AWS, Datadog, etc.) who access PHI
✓ A BAA is also a sales enabler — healthcare buyers require it to close enterprise deals

Direct answer: If your SaaS product processes, stores, or accesses protected health information on behalf of healthcare customers, your company is a HIPAA business associate. You must sign a BAA with each healthcare customer before they can legally share PHI with your platform — and you must have BAAs with your own subcontractors (cloud providers, analytics tools) who access that PHI.

If you're selling software to hospitals, clinics, health plans, or any other HIPAA covered entities, BAA execution is not a legal formality — it's a precondition to the deal. Healthcare buyers cannot legally share patient data with your platform without it. Here's what your startup or SaaS company needs to understand.

Are You a Business Associate?

A SaaS company is a HIPAA business associate if it performs functions or services on behalf of a covered entity that require access to PHI. Common SaaS categories that trigger BA status:

Clinical analytics and AI — processing patient records to generate insights
Revenue cycle management (RCM) — billing, coding, claims processing
Patient engagement platforms — portals, messaging, appointment reminders
Cloud storage or backup — storing clinical records for healthcare customers
Care coordination tools — communication platforms used by clinical staff
HR and workforce management — if employee health data (EAP, benefits) is included
Data warehousing / BI tools — if used to analyze clinical or claims data
Transcription / documentation AI — ambient scribing, clinical notes generation

If your platform never accesses PHI — for example, you only handle billing data at the aggregate level with no patient identifiers — you may not be a business associate. But if patient names, dates of service, diagnosis codes, or other PHI flow through your systems, a BAA is required.

The BAA as a Sales Enabler

Healthcare buyers — particularly hospitals and health systems — have formal vendor risk management processes. Before any enterprise deal can close, their legal and compliance teams will require:

A signed HIPAA BAA
Security questionnaire completion (SIG, CAIQ, or custom)
SOC 2 Type II report (increasingly standard for enterprise health systems)
Evidence of encryption at rest and in transit
Incident response and breach notification procedures

Having your BAA template ready — and being able to turn it around in days rather than weeks — is a competitive advantage. Startups that don't have a BAA ready often lose deals or delay closes while they scramble to draft one.

What Your BAA Should Cover as a Vendor

When you provide your own BAA to healthcare customers (rather than accepting theirs), you can draft favorable terms in several areas:

Scope of PHI

Define exactly what categories of PHI your platform may access. Narrowing the scope limits your liability exposure and sets clear expectations. If you only process appointment scheduling data, specify that — don't leave the scope open-ended.

Breach Notification Timeline

HIPAA requires breach notification to covered entities "without unreasonable delay" and within 60 days. Your BAA can specify a shorter timeline (e.g., 30 days or 72 hours for discovery notification) or a longer internal investigation window before formal notice. Be careful about committing to timelines you can't operationally meet.

Permitted Uses of PHI

Your BAA should explicitly state what you can do with the PHI beyond your core service function — for example, whether you can use de-identified data for product improvement, benchmarking, or AI model training. Vague language here creates disputes later.

Subcontractor Obligations

Include a representation that you have or will execute BAAs with all subcontractors who access PHI. This is required under 45 CFR § 164.308(b)(2). List key subcontractors if your customer requires it, or commit to maintaining a list on request.

Subcontractor BAAs: Your Own Vendor Obligations

As a business associate, you're responsible for the downstream handling of PHI by your own vendors. This means you need BAAs with:

Cloud infrastructure providers — AWS, Google Cloud, and Azure all offer BAAs on commercial plans
Database services — if the managed database (RDS, Cloud SQL, etc.) stores PHI
Logging and monitoring tools — Datadog, Splunk, etc., if logs contain PHI
Error tracking — Sentry, Bugsnag — ensure PHI is not included in error payloads, or execute a BAA
Customer support tools — Intercom, Zendesk — if support tickets include patient data
Email delivery — SendGrid/Mailchimp for transactional emails containing PHI

Conduct an annual audit of your subprocessors to ensure BAAs exist wherever required. When you add a new tool to your stack, BAA review should be part of your vendor onboarding checklist.

Minimum Security Requirements Under Your BAA

By signing a BAA, you're committing to implement appropriate safeguards for PHI. At minimum, this means:

Encryption of PHI at rest (AES-256 or equivalent) and in transit (TLS 1.2+)
Access controls — role-based access, least privilege, MFA for admin accounts
Audit logging of access to PHI
Workforce training on HIPAA requirements
Written incident response plan covering breach identification and notification
Business continuity and disaster recovery plan

These aren't just contractual commitments — they're HIPAA Security Rule requirements that apply to business associates directly under the HITECH Act.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word