What Is a Business Associate Agreement (BAA)?

Who Must Sign a BAA?

HIPAA defines a business associate as any person or organization that performs a function or service involving PHI on behalf of a covered entity.

In a telehealth or healthcare technology deployment, this may include:

• Video platform providers
• Messaging API vendors
• AI chatbot providers
• Cloud hosting providers
• EHR systems
• Analytics platforms that access identifiable patient data

The healthcare organization is responsible for ensuring BAAs are in place with every vendor in its technology stack before PHI flows through those systems.

In practice, this is where we see the most common gap in otherwise well-structured healthcare deployments. The primary platform has a BAA in place. The hosting environment is covered. But a messaging API added mid-project, an AI processing service integrated after launch, or an analytics tool with incidental PHI access has no BAA in place at all. The obligation doesn’t diminish because a component was added later or because it feels peripheral — if it touches PHI, it needs coverage.

A BAA cannot be backdated to cover a period when PHI was already being processed.

Subcontractors Also Require Coverage

If a primary vendor relies on subcontractors that handle PHI, those subcontractors must also be contractually covered.

This can occur in one of two ways:

• The subcontractor signs a BAA directly with the covered entity, or
• The subcontractor signs a BAA with the primary vendor, who acts as the business associate

Covered entities should explicitly confirm subcontractor coverage during vendor due diligence.

What a BAA Must Contain

Under 45 CFR §164.504(e), HIPAA specifies minimum required provisions for a valid Business Associate Agreement.

A compliant BAA must:

• Define permitted uses and disclosures of PHI
• Require implementation of appropriate safeguards
• Require breach and security incident reporting
• Require subcontractors to agree to the same protections
• Define procedures for PHI return or destruction at contract termination
• Allow contract termination if the business associate materially violates its obligations

A document labeled “BAA” that omits these provisions does not satisfy HIPAA requirements.

What a BAA Does Not Do

A Business Associate Agreement is necessary — but it is not sufficient for compliance.

Important clarifications:

• A BAA does not certify that a vendor is HIPAA compliant.
• A BAA does not replace required technical safeguards.
• A BAA does not eliminate the covered entity’s due diligence obligation.

Covered entities should also review security documentation, infrastructure architecture, audit logging capabilities, and incident response procedures.

Common Misconceptions About Business Associate Agreements

Business Associate Agreements are often misunderstood at the contract level — particularly in complex healthcare technology stacks involving multiple vendors.

“Our cloud provider’s BAA covers our whole stack.” A BAA with AWS, Google Cloud, or Azure covers the infrastructure layer those providers operate. It does not extend to the applications, APIs, or services running on top of that infrastructure. Each vendor that independently stores, processes, or transmits PHI requires its own BAA — your hosting provider’s agreement doesn’t travel up the stack.

“We don’t need a BAA until we go live.” HIPAA requires a BAA to be in place before PHI flows through a vendor’s systems — not after launch, not retroactively. A BAA cannot be backdated to cover a period when PHI was already being processed. If PHI touches a system before the BAA is signed, a violation has already occurred.

“The vendor offered us a BAA, so they must be compliant.” A vendor’s willingness to sign a BAA demonstrates they understand the contractual obligation — it doesn’t demonstrate that their systems actually implement the required technical safeguards. Covered entities remain responsible for verifying that BAA coverage is backed by appropriate security controls, not just a signed document.

“We have one BAA that covers all our vendors.” BAAs are bilateral contracts between a covered entity and a specific vendor. There is no single BAA that can cover multiple vendors simultaneously. Each vendor in the technology stack that handles PHI requires its own executed agreement.

What Happens If You Use a Vendor Without a BAA?

Using a vendor to process PHI without a signed BAA is itself a HIPAA violation — even if no data breach occurs.

The Office for Civil Rights (OCR) has levied penalties for missing BAAs. Penalties vary depending on the level of culpability and whether the violation was corrected, and can be substantial. For current HIPAA civil monetary penalty schedules, see the HHS Federal Register Notice (January 2026).

Compliance requires the contract to be in place before PHI is transmitted.

Does QuickBlox Sign a Business Associate Agreement?

Yes. QuickBlox signs a Business Associate Agreement with healthcare organizations deploying its platform for clinical applications.

What the BAA covers matters as much as whether one exists. QuickBlox’s agreement extends across the full communication infrastructure stack — video infrastructure, secure messaging API, AI messaging tools, and HIPAA-compliant hosting — under a single executed agreement. Organizations don’t need to manage separate BAAs for each component or navigate subcontractor coverage questions across multiple vendors. One agreement covers the stack.

For teams that have previously worked with vendors who offer partial BAA coverage — a hosting provider whose agreement doesn’t extend to the application layer, or a messaging API that requires a separate agreement from the video infrastructure — the consolidated structure simplifies both procurement and ongoing compliance governance considerably.

To request a BAA or discuss the scope of coverage for your specific deployment, contact the QuickBlox team.

The QuickBlox Perspective

BAA conversations tend to come in two forms. The first is straightforward: a healthcare organization needs to confirm that QuickBlox signs a BAA before procurement can proceed. The answer is yes, covering our full communication infrastructure stack under a single agreement.

The second is more involved: an organization is assembling or auditing a multi-vendor stack and trying to confirm that BAA coverage is complete across every component that touches PHI. That conversation takes longer — and it should. In our experience, the gaps almost always appear in the same places: a component added after the initial compliance review, a subcontractor relationship that wasn’t surfaced during due diligence, or an assumption that one vendor’s BAA extends further than it actually does.

QuickBlox covers our chat API, video infrastructure, AI messaging tools, and HIPAA-compliant hosting under a single BAA, which simplifies that part of the stack considerably. If you’re working through BAA coverage across a broader vendor ecosystem, we’re happy to help you think it through — most of those conversations surface at least one gap that wasn’t initially identified.