Does Epic Sign a HIPAA Business Associate Agreement?
By BAA Generator Research Team · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 3 min read
Key Takeaways
- ✓ Yes — Epic includes HIPAA BAA provisions in its standard EHR implementation agreements
- ✓ The BAA is embedded in the master software agreement — not a separate opt-in document
- ✓ If BAA language is missing from your contract, request it from your Epic account manager
- ✓ Third-party Epic integrations (App Orchard, HL7, API) each require their own separate BAA
How Epic's BAA Works in Practice
Epic's approach to HIPAA compliance differs from SaaS vendors that offer click-through BAAs. As an EHR vendor, Epic embeds BAA language directly into its master software and services agreement — the comprehensive contract signed by healthcare organizations at the start of an Epic implementation.
This means:
- You do not need to request a separate BAA document from Epic after contract signing
- The BAA provisions are already part of your existing Epic contract
- You should confirm BAA language is present when reviewing the contract — if missing, request it from your Epic account manager
- Renewals and amendments to your Epic agreement may require re-reviewing BAA provisions
What Epic's BAA Covers
Epic's HIPAA BAA covers the core EHR software and services provided by Epic, including:
- Epic EHR clinical documentation and patient record management
- Epic hosting services (for Epic-hosted environments)
- Epic maintenance and support services
- MyChart patient portal (as an Epic-provided service)
- Epic's Cosmos data research product (subject to separate data governance agreement)
What Epic's BAA Does Not Cover: Third-Party Integrations
A critical compliance consideration for Epic customers: Epic's BAA covers Epic's own services only. It does not extend to third-party applications, vendors, or integrations.
| Integration Type | Covered by Epic BAA? | Action Required |
|---|---|---|
| Epic core EHR software | Yes | Confirm BAA language in master agreement |
| Epic-hosted environment | Yes | Covered under Epic's BAA |
| App Orchard marketplace apps | No | Each ISV app needs its own BAA |
| HL7 interface partners | No | Each integration partner needs its own BAA |
| FHIR API connections | No | Each connecting application needs its own BAA |
| Cloud infrastructure (AWS, Azure) | No | If you self-host or use cloud, separate BAA with cloud provider |
Epic App Orchard: BAA Considerations
Epic's App Orchard is a marketplace of third-party applications that integrate with Epic. Epic reviews these applications for interoperability, but App Orchard listing does not mean the ISV has a HIPAA BAA in place with your organization.
For every App Orchard application your organization uses, you must independently:
- Identify whether the application handles PHI
- Verify the vendor signs a HIPAA BAA
- Execute a BAA with the ISV vendor directly
- Document the BAA in your HIPAA compliance records
Frequently Asked Questions
Does Epic sign a HIPAA BAA?
Yes — Epic's HIPAA BAA provisions are embedded in its standard master software agreement. Review your implementation contract for this language. If absent, request it from your Epic account manager.
Where is the BAA in Epic's contract?
The BAA language is typically in the master software and services agreement signed during EHR implementation. Review the agreement with your legal counsel to confirm the BAA provisions are present and adequate.
Do third-party Epic integrations require their own BAA?
Yes — Epic's BAA covers only Epic's services. Every third-party app (App Orchard, HL7 partners, FHIR API connections) requires its own independent BAA. This applies even to applications listed and reviewed on the App Orchard marketplace.
For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.
More vendor BAA guides
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview
Related: EHR & practice management