Does eClinicalWorks Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Yes — eClinicalWorks signs a HIPAA BAA in their standard service agreement
- ✓ BAA covers the full platform: EHR, PM, healow patient portal, and telehealth
- ✓ 2017 DOJ settlement was a Meaningful Use certification case — not an OCR HIPAA action
- ✓ Contact eClinicalWorks compliance team for standalone BAA documentation
eClinicalWorks is one of the largest cloud-based EHR and practice management vendors in the United States, serving more than 850,000 medical professionals across ambulatory settings. Despite a high-profile legal settlement in 2017, eClinicalWorks continues to be widely deployed and provides HIPAA BAAs to all subscribers.
eClinicalWorks Product BAA Coverage
The eClinicalWorks BAA covers the full integrated platform, including patient-facing tools:
| Product | BAA Available | Notes |
|---|---|---|
| eClinicalWorks EHR | Yes | Clinical documentation, e-prescribing, population health |
| eClinicalWorks PM | Yes | Scheduling, billing, RCM, insurance eligibility |
| healow (patient portal) | Yes | Patient-facing mobile and web portal; covered under platform BAA |
| eClinicalWorks Telehealth | Yes | Built-in telehealth module covered under platform BAA |
How to Get a HIPAA BAA from eClinicalWorks
The eClinicalWorks BAA is included in the standard service agreement executed during onboarding. If you need a standalone copy of your BAA for compliance documentation:
- Contact the eClinicalWorks compliance or legal team directly
- Reference your service agreement number and request a copy of the executed BAA
- For new customers, the BAA is included in the Master Services Agreement signed during implementation
Unlike self-service platforms, eClinicalWorks is an enterprise EHR vendor — BAA execution occurs through your implementation team and account manager, not through a dashboard settings page.
Understanding the 2017 eClinicalWorks Settlement
eClinicalWorks reached a $155 million settlement with the U.S. Department of Justice in 2017. This settlement is frequently misunderstood, so it is worth clarifying:
- The case was brought under the False Claims Act, not HIPAA
- The allegations were that eClinicalWorks falsely certified that its EHR software met Meaningful Use standards under the EHR Incentive Program
- This was not an OCR HIPAA enforcement action — it did not involve a breach of PHI or HIPAA Security Rule violations
- The settlement did not affect eClinicalWorks' status as a HIPAA business associate or invalidate their BAAs
Practices evaluating eClinicalWorks should be aware of this history as context for due diligence, but it does not change their obligation to execute a BAA with eClinicalWorks before using the platform for PHI.
What Happens If You Use eClinicalWorks Without a BAA?
Using eClinicalWorks to store or process PHI without an executed BAA would violate HIPAA's business associate requirements. In practice, this is unlikely because the BAA is part of the standard service agreement — but practices should confirm that their MSA includes a BAA and that they have a copy on file.
For context on vendor BAA obligations broadly, see our guide on which vendors sign a HIPAA BAA and our resource on when you need a HIPAA BAA.
Frequently Asked Questions
Does eClinicalWorks sign a HIPAA BAA?
Yes — eClinicalWorks includes a HIPAA Business Associate Agreement in their standard service agreement for all customers. Contact the eClinicalWorks compliance team for BAA documentation if you need a standalone copy. All eClinicalWorks products — EHR, PM, healow patient portal, and telehealth — are covered under the platform BAA.
Is eClinicalWorks HIPAA compliant?
Yes — eClinicalWorks is a HIPAA-covered EHR and practice management platform. The company entered a $155 million DOJ settlement in 2017 related to False Claims Act violations (specifically misrepresenting Meaningful Use certification), but this did not affect their status as a HIPAA business associate or their BAA obligations. The platform continues to serve thousands of ambulatory practices.
Does the eClinicalWorks BAA cover the healow patient portal?
Yes — the healow patient portal, eClinicalWorks' patient-facing mobile and web portal, is covered under the eClinicalWorks platform BAA. Healow is developed and operated by eClinicalWorks, so no separate BAA is required. However, if you integrate third-party apps through the healow ecosystem, those integrations may require separate BAAs with those third-party vendors.
What happened with eClinicalWorks and OCR?
The 2017 eClinicalWorks legal matter was a $155 million settlement with the U.S. Department of Justice under the False Claims Act — specifically, allegations that the company misrepresented that its EHR met Meaningful Use certification requirements. This was not an OCR HIPAA enforcement action and did not involve a breach of patient data. The settlement did not invalidate eClinicalWorks' BAAs or their obligations as a HIPAA business associate.
Need a BAA for your eClinicalWorks integration?
Generate a HIPAA-compliant Business Associate Agreement in minutes — covers all vendor types, free to start.
Generate Your BAA Free →