If you are using any third-party platform, software, or service to deliver or support telehealth, there is a foundational document you need in place before a single session takes place: a Business Associate Agreement, or BAA. Many providers have heard the term but are fuzzy on what it actually means, why it matters, and what happens if you skip it. Here is a plain-language breakdown.
What Is a BAA?
A Business Associate Agreement is a legally required contract under HIPAA between a covered entity, which is any healthcare provider, health plan, or clearinghouse, and a business associate, which is any third-party vendor or service that creates, receives, maintains, or transmits protected health information (PHI) on your behalf.
In the context of telehealth, your video platform is a business associate. So is your scheduling software, your cloud storage provider, your email service if it carries PHI, and any other tool that touches patient data. Before you use any of these services in a clinical context, a signed BAA must be in place.
Why Does It Matter?
Without a BAA, you are potentially in violation of HIPAA even if no breach ever occurs. The agreement is not just a formality. It establishes that your vendor understands their obligations under HIPAA, has the safeguards in place to protect PHI, and will notify you in the event of a breach. If a breach does occur and you do not have a BAA on file, you bear full liability. Fines for HIPAA violations range from hundreds to millions of dollars depending on severity and whether negligence was involved.
Beyond compliance, a BAA gives you confidence that the vendors you rely on are taking security seriously. Any reputable telehealth platform, cloud service, or healthcare software company should be willing to sign one without hesitation. If a vendor refuses or delays, that is a significant red flag.
What a BAA Should Cover
A properly written BAA will typically address several key areas. It will describe the permitted uses and disclosures of PHI by the business associate, limiting how they can use your patient data. It will require the vendor to implement appropriate administrative, physical, and technical safeguards. It will outline their obligation to report any security incident or breach to you promptly. It will also address what happens to PHI when the business relationship ends, usually requiring the data to be returned or securely destroyed.
Common Mistakes Providers Make
The most common mistake is simply not asking. Many providers assume their software vendor is automatically compliant or that a terms-of-service agreement covers it. It does not. You must specifically request and sign a BAA.
Another frequent error is using consumer-grade tools, such as FaceTime, standard Zoom, or personal email, for telehealth without verifying whether a BAA is available. Many consumer platforms do not offer BAAs at all, which means they should not be used to conduct or coordinate care involving PHI.
Finally, some providers sign a BAA and then forget about it. BAAs should be reviewed periodically and updated if your vendor relationship changes or if your use of a service expands to include PHI in new ways.
SecureVideo and Your BAA
SecureVideo provides a signed BAA to all users because HIPAA compliance is not optional in telehealth, it is the baseline. When you use SecureVideo for your virtual visits, you can be confident that your platform relationship is properly documented and that your patients’ information is handled in accordance with federal privacy law.
If you are evaluating telehealth tools or auditing your current vendors, start by confirming a BAA is in place with each one. It is one of the simplest and most important steps you can take to protect your practice. Ready to get started with a platform that takes compliance seriously? Start your free trial today at www.securevideo.com.