Is a BAA the same as an NDA?

No. A Non-Disclosure Agreement (NDA) is a general-purpose confidentiality contract used in any industry to protect trade secrets and proprietary information. A Business Associate Agreement (BAA) is a federally mandated HIPAA contract with specific required provisions under 45 CFR § 164.504(e), including breach notification requirements, subcontractor flow-down obligations, and PHI return or destruction clauses. An NDA cannot substitute for a BAA.

Can a vendor refuse to sign a BAA?

A vendor can refuse, but the covered entity cannot share PHI with them if they do. If a required BAA is not in place, the covered entity is prohibited from disclosing PHI to that vendor. The covered entity must either find an alternative vendor willing to sign, or limit the vendor's access so that no PHI is involved. Operating without a BAA when one is required is a HIPAA violation for the covered entity.

Do you need both an NDA and a BAA with the same vendor?

Sometimes yes. If you're sharing both PHI and proprietary business information with a vendor, having both an NDA (covering trade secrets and business-sensitive data) and a BAA (covering PHI) is appropriate and common in enterprise relationships. A BAA only governs the use of protected health information — it does not protect general business confidentiality the way an NDA does.

What makes a BAA legally different from other contracts?

Unlike most contracts, a HIPAA BAA has federally mandated provisions that cannot be negotiated away. The core terms — permitted uses of PHI, breach notification timelines, subcontractor requirements, and PHI destruction on termination — are dictated by 45 CFR § 164.504(e). A BAA missing any of these required provisions is non-compliant regardless of what the parties agreed to.

Contracts

BAA vs. NDA: What's the Difference?

By BAA Generator Research Team · Published Mar 24, 2026 · Last reviewed Apr 17, 2026 · 3 min read

Need a BAA right now?

Generate my BAA → See pricing →

Looking for the broader comparison? The full neutral side-by-side of HIPAA documents lives at ComplyCreate's BAA vs NPP guide. Or see ComplyCreate's Which HIPAA documents do I need? decision tree.

Key Takeaways

✓ An NDA does not satisfy HIPAA — relying on one in place of a BAA is a violation
✓ A BAA has federally mandated terms that cannot be negotiated away; an NDA can be anything
✓ BAAs require breach notification, subcontractor flow-down, and PHI destruction — NDAs do not
✓ You may need both: an NDA for business secrets + a BAA for PHI, with the same vendor
✓ An NDA that happens to contain all required BAA provisions functions as a BAA in substance

Quick answer: No — a Non-Disclosure Agreement does not satisfy HIPAA's Business Associate Agreement requirement. NDAs are general-purpose confidentiality contracts with freely negotiable terms; a HIPAA BAA is a federally regulated contract with mandatory provisions under 45 CFR § 164.504(e), including breach notification, subcontractor flow-down, and PHI return or destruction. Signing only an NDA when a BAA is required is a HIPAA violation.

It's a surprisingly common mistake: a healthcare organization asks a vendor to sign an NDA, assuming that covers their HIPAA obligations. It doesn't. A Non-Disclosure Agreement and a Business Associate Agreement are fundamentally different instruments — and confusing them can result in serious HIPAA violations.

What Is an NDA?

A Non-Disclosure Agreement (also called a confidentiality agreement) is a general-purpose contract that can be used in virtually any industry. Its core purpose is simple: one or both parties agree not to share confidential information with third parties. NDAs are commonly used to protect trade secrets, business strategies, unreleased product plans, and proprietary data.

NDAs are not regulated by federal healthcare law. Their terms are negotiated between the parties and can vary widely — some are mutual, some are one-directional, and their definitions of "confidential information" differ from agreement to agreement.

What Is a BAA?

A Business Associate Agreement is a HIPAA-mandated contract with legally required provisions. Unlike an NDA, the core terms are not freely negotiable — they must include specific elements dictated by 45 CFR § 164.504(e). A BAA that's missing required provisions is a compliance failure regardless of what both parties agreed to.

For a full breakdown of what must be in a BAA, see our guide on HIPAA BAA requirements.

Side-by-Side Comparison

Feature	NDA	BAA
Governed by	Contract law (state-specific)	Federal HIPAA/HITECH law
Required by law?	No — voluntary	Yes — mandatory for covered entities
Applies to	Any industry, any confidential information	Healthcare PHI only
Terms negotiable?	Fully negotiable	Core provisions mandated by regulation
Breach notification required?	Typically no	Yes — within defined timeframe
Subcontractor chain required?	No	Yes — must flow down to subcontractors
Patient rights provisions?	No	Yes — access, amendment, accounting
Government access clause?	No	Yes — HHS access required
PHI return/destruction on termination?	No	Yes — required provision

Can an NDA Include BAA Provisions?

Technically yes — some organizations incorporate BAA language into a broader confidentiality agreement. This is permissible as long as all required HIPAA provisions are present and clearly articulated. However, a document titled "NDA" that happens to contain all the HIPAA-required BAA provisions functions as a BAA in substance.

The risk of this approach: legal reviewers and auditors may not recognize the document as a BAA, and standard NDA templates will almost certainly be missing required HIPAA provisions. When in doubt, execute a standalone BAA.

Do You Need Both?

In some business relationships, yes. If you're sharing both proprietary business information and PHI with a vendor, having both an NDA (for trade secrets and business-sensitive data) and a BAA (for PHI) is entirely appropriate — and common in larger enterprise relationships.

The Bottom Line

An NDA does not satisfy HIPAA. If your vendor or partner has access to patient data, a BAA is required — period. Relying on an NDA in place of a BAA leaves your organization exposed to regulatory action, and does not transfer liability to the vendor the way a proper BAA does.

Not sure whether your specific vendor relationship requires a BAA? See our guide on when you need a HIPAA BAA.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word