HIPAA BAA vs. SaaS Agreement: When You Need Both
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ A SaaS agreement and a BAA are separate legal documents serving different purposes — you typically need both
- ✓ A SaaS agreement governs pricing, uptime, IP, and liability; a BAA governs PHI handling obligations under HIPAA
- ✓ Some vendors embed BAA provisions in their terms of service — verify these contain all 45 CFR § 164.504(e)(2) required elements
- ✓ The most common gap: vendors with HIPAA-compliant infrastructure but no BAA in place — compliance and execution are separate issues
The most common misconception among small practices adopting new SaaS tools is that signing the vendor's standard terms of service automatically handles HIPAA compliance. It doesn't. Understanding what a BAA actually requires makes the gap clear: a SaaS agreement and a BAA are fundamentally different documents, each governing a different dimension of the vendor relationship.
What a SaaS Agreement Covers vs. What a BAA Covers
| Document | What It Governs | Key Provisions |
|---|---|---|
| SaaS Agreement (also: Terms of Service, Master Subscription Agreement) | The commercial and operational relationship between customer and vendor | Service scope and description; pricing and payment terms; uptime SLAs and remedies; intellectual property ownership; permitted users and access controls; liability caps and indemnification; governing law and dispute resolution; term and termination for non-payment or breach of terms |
| HIPAA BAA (Business Associate Agreement) | The PHI handling obligations of the vendor under HIPAA federal law | Permitted uses and disclosures of PHI; vendor's safeguard obligations; breach notification to covered entity (within 60 days); subcontractor BAA requirements; covered entity's right to access vendor's books and records for HHS audits; PHI return or destruction on termination; termination rights for HIPAA violations |
Notice what the SaaS agreement does not contain: any PHI-specific obligations. And notice what the BAA does not contain: any pricing, SLA, or commercial terms. They are complementary but non-overlapping documents.
Can a SaaS Agreement Include BAA Provisions?
Yes — technically a single document can serve as both a SaaS agreement and a BAA, provided it contains all required provisions of both. Some vendors structure their agreements this way, incorporating HIPAA BAA language directly into their terms of service or master subscription agreement.
However, this is less common than having two separate documents. When evaluating whether a single vendor agreement qualifies as a BAA, the question is not "does this document mention HIPAA?" — it is "does this document contain all elements required by 45 CFR § 164.504(e)(2)?" A document that says it is a BAA, or that mentions HIPAA, but omits required provisions is not a qualifying BAA.
How to Verify Whether a Vendor's Terms Include a Qualifying BAA
To verify whether a vendor's terms of service or agreement qualifies as a HIPAA BAA, check for the presence of each of these required elements under 45 CFR § 164.504(e)(2):
- Permitted uses limitation: The vendor may only use or disclose PHI as permitted by the agreement or as required by law — not for any purpose the vendor chooses
- Safeguards: The vendor agrees to use appropriate safeguards to prevent unauthorized use or disclosure of PHI
- Breach notification: The vendor must report any use or disclosure not provided for by the agreement to the covered entity; specifically, the vendor must notify the CE of any breach of unsecured PHI
- Subcontractor BAAs: The vendor must require its own subcontractors who handle PHI to agree to the same restrictions (45 CFR § 164.308(b)(2))
- Access for HHS: The vendor agrees to make its internal practices, books, and records available to HHS upon request for compliance determination
- PHI return/destruction: Upon termination, the vendor will return or destroy all PHI and retain no copies
- Termination right for HIPAA violation: The covered entity has the right to terminate if the vendor violates a material term related to PHI
If any of these are absent, vague, or substantially limited — for example, if the vendor disclaims any obligation to notify of breaches, or retains the right to use PHI for product development — the agreement does not qualify as a BAA even if it mentions HIPAA.
The Most Common Gap: HIPAA-Compliant Infrastructure but No BAA
A significant number of SaaS vendors describe themselves as "HIPAA compliant" — meaning their infrastructure meets Security Rule standards (encryption, access controls, audit logs). This is a technical compliance statement, not a legal commitment.
"HIPAA compliant infrastructure" without a signed BAA does not satisfy your HIPAA obligations as a covered entity. The BAA is the legal instrument that creates the vendor's enforceable HIPAA obligations and documents your compliant relationship. Without a signed BAA, the vendor's claimed compliance is irrelevant from a regulatory standpoint — you have shared PHI without satisfactory assurances as required by 45 CFR § 164.502(e).
Always verify: (1) does the vendor have HIPAA-compliant security practices (infrastructure)? and (2) is there a signed BAA in place (legal commitment)? Both must be true. A vendor check on both dimensions is part of sound vendor due diligence. See the guide on when you need a HIPAA BAA for the full criteria.
Frequently Asked Questions
Does a SaaS agreement include a BAA?
Not automatically. A standard SaaS agreement covers service terms, pricing, and commercial terms — not PHI handling obligations. Some vendors embed BAA provisions in their terms or offer a separate BAA addendum. To verify, check whether the agreement contains all elements required by 45 CFR § 164.504(e)(2). A document that says "HIPAA" but omits required BAA provisions does not qualify.
What's the difference between a BAA and a SaaS agreement?
A SaaS agreement defines the commercial relationship: scope, pricing, SLAs, IP, and liability. A BAA defines the PHI handling relationship: permitted uses, security obligations, breach notification, subcontractor requirements, and PHI disposition at termination. Neither document substitutes for the other when PHI is involved.
How do I know if a vendor's terms include a HIPAA-compliant BAA?
Verify the terms contain all required BAA elements under 45 CFR § 164.504(e)(2): permitted uses limitation, safeguard obligations, breach notification to CE within 60 days, subcontractor BAA requirements, HHS audit rights, and PHI return/destruction on termination. If any are missing or substantially limited, the agreement does not qualify as a BAA regardless of what it is called.
Generate the BAA your SaaS vendor relationship requires
A proper BAA covers what the SaaS agreement doesn't — PHI handling, breach notification, and termination obligations.
Generate BAA for Free →