BAA-Backed AI Chat
What a Business Associate Agreement is in plain English, who actually offers one for AI, what's in a typical clause set, and how to evaluate a vendor's BAA before you sign.
Every healthcare buyer evaluating an AI tool runs into the same three letters at some point: BAA. Vendors throw them around like a credential. Sales decks list them in feature comparisons. Procurement teams ask about them in security questionnaires. And almost nobody outside healthcare compliance can explain, in plain words, what a BAA actually is or how to tell a strong one from a weak one.
This is the full breakdown. What a BAA is, who needs to sign one, what clauses matter, which AI vendors offer them as of May 2026, and a 12-question checklist you can run any vendor's contract through before you sign. If you're shopping for HIPAA-compliant AI chat, start here.
What a BAA actually is
A Business Associate Agreement is a contract required by the HIPAA Privacy Rule. It binds a vendor that handles Protected Health Information to follow the same privacy and security standards as the covered entity that hired them. Without a signed BAA, sending PHI to a vendor is a HIPAA violation, regardless of how secure that vendor's product happens to be.
The legal logic is simple: HIPAA holds covered entities (clinics, hospitals, insurers, billing companies) responsible for PHI. When a covered entity hands PHI to a vendor, the vendor doesn't automatically inherit that responsibility. The BAA is the mechanism that transfers a portion of the legal duty to the vendor and creates a paper trail HHS can follow if there's a breach.
Think of it as a gate. PHI can move from your clinic to a vendor only after the gate is unlocked, and the BAA is the key. No BAA, no PHI. Doesn't matter if the vendor is end-to-end encrypted, SOC 2 audited, and ISO 27001 certified. Without the contract, you don't have the legal authority to send them the data.
Who must sign a BAA
Two parties are always involved: the covered entity and the business associate.
The covered entity is you, in most cases. A medical practice, dental office, mental health clinic, hospital system, health plan, or healthcare clearinghouse. If you bill insurance or hold patient records, you're a covered entity.
The business associate is anyone you pay to do work that involves PHI. The list is long: your EHR vendor, your billing service, your transcription service, your cloud backup provider, your AI chat tool. If they touch PHI, they're a business associate, and you need a BAA with them.
It doesn't end there. HIPAA establishes chain liability. If your business associate uses sub-contractors that also touch PHI, those sub-contractors need BAAs with your business associate. Anthropic uses AWS for hosting. OpenAI uses Microsoft Azure. The chain only works if every link is under contract.
You sign one BAA with your direct vendor. That vendor is responsible for the BAAs with their sub-processors. Your contract should require disclosure of who those sub-processors are and confirm the upstream BAAs exist.
What's in a typical BAA
HIPAA specifies the minimum content of a BAA in 45 CFR 164.504(e). Every compliant agreement covers roughly the same ground. Here's what to expect when you read one.
Permitted uses and disclosures
The BAA defines what the vendor is allowed to do with PHI. For an AI chat tool, this typically means "process the prompt to generate a response, run safety classifiers, and store operational logs for the period stated." Anything outside that scope (training, analytics, marketing) needs explicit permission or it's prohibited.
Required safeguards
The vendor commits to administrative, physical, and technical safeguards. Encryption at rest and in transit, access controls, audit logging, employee training, incident response procedures. The HIPAA Security Rule sets the floor. Strong BAAs go above it.
Sub-processor restrictions
The vendor agrees to bind any sub-processor that handles PHI to substantially equivalent terms. The BAA should name current sub-processors or commit to disclosure on request, and require advance notice before adding new ones.
Breach notification SLA
HIPAA itself requires notification within 60 days of discovery. That's the federal floor. Most BAAs negotiate something tighter, often 24 to 72 hours, so the covered entity has time to assess scope and notify patients before the federal deadline. A BAA that matches the 60-day floor exactly is a sign the vendor is doing the legal minimum.
Termination rights
Either party can terminate for material breach. The covered entity should have the right to terminate and switch vendors without penalty if the vendor fails to meet BAA obligations.
Return or destruction of PHI
On termination, the vendor must return all PHI to the covered entity or destroy it, with written certification. If return or destruction is "infeasible" (a common dodge), the vendor must extend BAA protections to the retained data indefinitely.
Indemnification and audit rights
The strongest BAAs include indemnification for breaches caused by the vendor's negligence and audit rights that let the covered entity (or a third party) inspect security controls. Many vendor-drafted BAAs strip these out. Push back.
Who offers AI BAAs in 2026
BAA availability has expanded significantly over the past two years. As of May 2026, here's the lay of the land. Tier names change, so confirm directly with the vendor before signing anything.
| Vendor | BAA tier | Notes |
|---|---|---|
| Anthropic | Enterprise | Direct BAA on the Enterprise tier. Underlying Claude API zero-retention rules apply. |
| OpenAI | Enterprise / API Enterprise | ChatGPT Enterprise and the API at the appropriate tier. Consumer ChatGPT Plus does not include a BAA. |
| Microsoft Azure OpenAI | All Azure tiers | BAA covers the Azure platform, including Azure OpenAI. Already in place if you have an Azure BAA. |
| Google Cloud Vertex AI | All GCP tiers | Google Cloud BAA covers Vertex AI, including Gemini and PaLM family models. |
| AWS Bedrock | All AWS tiers | AWS BAA covers Bedrock and the underlying foundation models hosted there. |
| PrivateClaude Business | Business tier | BAA on the Business tier. Inherits Anthropic Enterprise rules under the hood. |
| Hathr.AI | All tiers | Healthcare-focused wrapper. BAA included in standard contract. |
| BastionGPT | All tiers | Healthcare-focused chat with BAA included. |
| CompliantChatGPT | All tiers | HIPAA-positioned wrapper around OpenAI with BAA. |
For a deeper feature comparison across these vendors, see our HIPAA AI vendor comparison table. And for the question of whether the consumer-grade ChatGPT product has a BAA path, our is ChatGPT HIPAA-compliant piece walks through it.
Red flags in a BAA
Most AI vendor BAAs are drafted by the vendor's legal team to favor the vendor. That's normal. The covered entity's job is to read carefully and push back where it matters. These are the patterns to watch for.
- Broad indemnification carve-outs. Language that excludes "AI-generated content," "model output," or "third-party model providers" from indemnification leaves you holding the bag if the model causes harm.
- Vague sub-processor language. "We may use sub-processors as needed" without naming them or committing to advance notice. You should know who's touching the data.
- 60-day breach notification with no tightening. If the BAA matches the federal floor exactly, the vendor is giving you the legal minimum. Negotiate 24 to 72 hours.
- No audit rights. If the vendor refuses any inspection, you have no way to verify compliance other than trust.
- No return-or-destruction clause. Or one that makes destruction "infeasible" by default. Your data should come back to you or be provably destroyed when the relationship ends.
- No transition assistance. When you switch vendors, you need help exporting data. A BAA that doesn't address transition leaves you stranded.
- Unilateral amendment rights. Vendors that reserve the right to modify the BAA at will, with no notice or opt-out, are not partners. They're landlords.
The "no BAA needed" claim is wrong
Some AI vendors, especially smaller ones, market themselves to healthcare buyers with a line like: "We're encrypted end-to-end, so you don't need a BAA." That's wrong, and it's dangerous.
HIPAA requires the contract specifically. The Privacy Rule doesn't say "use a vendor with strong encryption." It says "have a BAA with any business associate that handles PHI." Encryption is one of the safeguards the BAA requires the vendor to implement. It is not a substitute for the contract.
If a vendor tells you encryption replaces the need for a BAA, walk away. Either they don't understand HIPAA (in which case you can't trust them with PHI) or they understand and are misleading you (in which case you definitely can't trust them with PHI). There is no third option where they're right.
The same principle applies to vendors that say "we don't store your data, so HIPAA doesn't apply." HIPAA applies the moment PHI moves to the vendor, even in transit. The BAA is what authorizes the transfer. Storage policy is a safeguard the BAA can require, not a way around the BAA.
Sub-processor disclosure
Most AI vendors don't run their own GPU clusters. They rent compute from hyperscalers. That means the data path looks like this:
Your clinic sends PHI to your AI vendor, which sends the request to their model provider (Anthropic, OpenAI, etc.), which runs the model on cloud infrastructure (AWS, Azure, GCP).
Every link in that chain that touches PHI needs a BAA. Your direct contract is with your AI vendor. Your AI vendor's contracts cover the rest. But you should be able to see the chain.
Anthropic's Enterprise BAA covers their use of AWS as a hosting sub-processor. OpenAI's BAA covers their use of Microsoft Azure. AWS Bedrock and Azure OpenAI are themselves under their parent platform's BAAs. The chain is real and well-established for the major players.
For smaller wrappers, ask three questions: Who is your model provider? Who hosts that model provider? Are both relationships under BAA? If the answers are "we don't disclose," that's a red flag.
A 12-question evaluation checklist
Run any AI vendor's BAA through these 12 questions before signing. If the answer to more than two is "no" or "unclear," renegotiate or move on.
- Who signs? Confirm the legal entity name and the signatory's authority to bind that entity.
- Is PHI scope defined? The contract should specify what categories of PHI the vendor will handle.
- Are permitted uses listed? No catch-all phrases like "any reasonable purpose." Specific uses only.
- Are sub-processors disclosed? Current list, with a commitment to advance notice for additions.
- What's the retention policy? How long is PHI held, and is it encrypted at rest? When does it auto-delete?
- Do you get audit log access? Can you see who accessed PHI, when, and from where?
- What's the breach notification SLA? In days or hours, not "as soon as practicable."
- Is there an indemnification cap, and what does it cover? Pay attention to AI-specific carve-outs.
- Can you terminate for cause? And without penalty if the vendor materially breaches?
- Is there a return-of-PHI clause? With certification of destruction if return isn't possible?
- What's the governing law? Some vendors specify jurisdictions that disadvantage covered entities.
- What's the dispute resolution process? Mandatory arbitration in a distant venue is a flag.
Print this list. Bring it to every vendor evaluation. If the vendor's sales rep can't answer these questions on a call, the contract isn't ready for signature.
Private Claude's BAA approach
Private Claude offers a BAA on the Business tier. The structure is straightforward: we sign a direct BAA with the covered entity, and Private Claude operates under Anthropic's Enterprise and API contracts upstream, which include their own BAA where applicable. Sub-processors are disclosed in writing.
Three things distinguish our BAA from the typical AI vendor agreement:
- No saved chat history by design. The product itself doesn't store conversations beyond the active browser session. The BAA reflects this: there's no PHI in our database to breach because there's no database storing PHI.
- Inherited Anthropic API zero-retention rules. The underlying Claude API auto-deletes operational logs after 7 days and never trains on inputs. Our BAA passes those guarantees through.
- Negotiable terms for larger deployments. Tighter breach SLAs, custom retention policies, VPC deployment, dedicated support. The standard BAA is a starting point, not a take-it-or-leave-it.
Email support@privateclaude.ai with your covered entity name and team size, and we'll send a draft BAA for your legal team to review. No sales call required to read the contract.
Frequently asked questions
What is a BAA in plain English?
A Business Associate Agreement is a contract required by the HIPAA Privacy Rule. It binds a vendor that handles Protected Health Information to follow the same privacy and security standards as the covered entity that hired them. Without a signed BAA, sending PHI to a vendor is a HIPAA violation, even if that vendor is technically secure.
Does encryption replace the need for a BAA?
No. Encryption is a safeguard, not a substitute for the contract. HIPAA requires the contract specifically. A vendor that says "we're encrypted, you don't need a BAA" is wrong. The contract is what creates the legal obligation. Encryption is one of the things the contract requires the vendor to do.
Which AI vendors offer a BAA in 2026?
As of May 2026, BAAs are available from Anthropic on the Enterprise tier, OpenAI on Enterprise and the API at the appropriate tier, Microsoft Azure OpenAI, Google Cloud Vertex AI, AWS Bedrock, and a growing list of healthcare-focused wrappers like PrivateClaude Business, Hathr.AI, BastionGPT, and CompliantChatGPT. Consumer plans (ChatGPT Plus, Claude Pro) do not include a BAA.
What's the standard breach notification window?
HIPAA itself sets 60 days from discovery as the outer limit for notification. Most BAAs negotiate a much tighter window, typically 24 to 72 hours, so the covered entity has time to assess and notify patients before the federal deadline. If a BAA matches the 60-day federal floor exactly, that's a red flag worth pushing back on.
Do sub-processors need their own BAA?
Yes, if they touch PHI. HIPAA establishes chain liability: every link in the data path that handles PHI must be under a BAA. Anthropic uses AWS for hosting, OpenAI uses Microsoft Azure. Both AWS and Azure offer their own BAAs to the upstream vendor. Your BAA with the AI vendor should disclose sub-processors and confirm those sub-processor BAAs are in place.
What's a red flag in an AI vendor's BAA?
Watch for broad indemnification carve-outs that exclude AI-related claims, vague sub-processor language that doesn't name actual sub-processors, breach notification SLAs that match the 60-day federal floor with no tightening, no audit rights, no return-or-destruction clause for PHI on termination, and no transition assistance if you switch vendors.
Is a signed BAA enough to be HIPAA-compliant?
No. The BAA is necessary, not sufficient. You also need administrative, physical, and technical safeguards on your side: access controls, audit logs, training, breach response procedures, and a risk assessment. The BAA covers the vendor relationship. Everything else covers your own practice.
Does Private Claude offer a BAA?
Yes, on the Business tier. Private Claude's BAA inherits Anthropic Enterprise and API zero-retention rules for the underlying model, layers our own safeguards on top (no chat history, browser-only sessions, optional VPC deployment), and is negotiable for larger teams. Email support@privateclaude.ai for a draft.
Private Claude for regulated teams.
BAA available. Zero data retention. Self-serve or deploy in your VPC. Talk to us about your compliance requirements.
Contact sales