BAA vs. NDA: What's the Difference?
5 min read · HIPAA Compliance
It's a surprisingly common mistake: a healthcare organization asks a vendor to sign an NDA, assuming that covers their HIPAA obligations. It doesn't. A Non-Disclosure Agreement and a Business Associate Agreement are fundamentally different instruments — and confusing them can result in serious HIPAA violations.
What Is an NDA?
A Non-Disclosure Agreement (also called a confidentiality agreement) is a general-purpose contract that can be used in virtually any industry. Its core purpose is simple: one or both parties agree not to share confidential information with third parties. NDAs are commonly used to protect trade secrets, business strategies, unreleased product plans, and proprietary data.
NDAs are not regulated by federal healthcare law. Their terms are negotiated between the parties and can vary widely — some are mutual, some are one-directional, and their definitions of "confidential information" differ from agreement to agreement.
What Is a BAA?
A Business Associate Agreement is a HIPAA-mandated contract with legally required provisions. Unlike an NDA, the core terms are not freely negotiable — they must include specific elements dictated by 45 CFR § 164.504(e). A BAA that's missing required provisions is a compliance failure regardless of what both parties agreed to.
For a full breakdown of what must be in a BAA, see our guide on HIPAA BAA requirements.
Side-by-Side Comparison
| Feature | NDA | BAA |
|---|---|---|
| Governed by | Contract law (state-specific) | Federal HIPAA/HITECH law |
| Required by law? | No — voluntary | Yes — mandatory for covered entities |
| Applies to | Any industry, any confidential information | Healthcare PHI only |
| Terms negotiable? | Fully negotiable | Core provisions mandated by regulation |
| Breach notification required? | Typically no | Yes — within defined timeframe |
| Subcontractor chain required? | No | Yes — must flow down to subcontractors |
| Patient rights provisions? | No | Yes — access, amendment, accounting |
| Government access clause? | No | Yes — HHS access required |
| PHI return/destruction on termination? | No | Yes — required provision |
Can an NDA Include BAA Provisions?
Technically yes — some organizations incorporate BAA language into a broader confidentiality agreement. This is permissible as long as all required HIPAA provisions are present and clearly articulated. However, a document titled "NDA" that happens to contain all the HIPAA-required BAA provisions functions as a BAA in substance.
The risk of this approach: legal reviewers and auditors may not recognize the document as a BAA, and standard NDA templates will almost certainly be missing required HIPAA provisions. When in doubt, execute a standalone BAA.
Do You Need Both?
In some business relationships, yes. If you're sharing both proprietary business information and PHI with a vendor, having both an NDA (for trade secrets and business-sensitive data) and a BAA (for PHI) is entirely appropriate — and common in larger enterprise relationships.
The Bottom Line
An NDA does not satisfy HIPAA. If your vendor or partner has access to patient data, a BAA is required — period. Relying on an NDA in place of a BAA leaves your organization exposed to regulatory action, and does not transfer liability to the vendor the way a proper BAA does.
Not sure whether your specific vendor relationship requires a BAA? See our guide on when you need a HIPAA BAA.
Generate a HIPAA-compliant BAA in minutes
All required provisions included. Free to start.
Generate BAA for Free →