🛡️ COMPLIANCE · HIPAA BAA

Do I need a HIPAA BAA? Here's who signs — and when.

A Business Associate Agreement is the contract HIPAA requires whenever protected health information passes between two organizations. The questions that actually matter: do you need one, with whom, and in which direction. Work the triage.

↓ Start the 60-second triage Text PJ instead

Operator-honest tech-help · no jargon · no upsell to something you don't need.

The BAA triage

Work these in order · step 1 decides whether you need one at all

Confirm PHI is actually involved. A BAA is only required when Protected Health Information changes hands. If a vendor never creates, receives, stores, or transmits PHI for you — a tool that only sees anonymous or de-identified data — no BAA is needed. Don't paper relationships that aren't in scope.
Identify your role in the relationship. Are you the Covered Entity (a provider or health plan), the Business Associate (a vendor handling PHI for one), or hiring a subcontractor below you? Your role decides which direction the BAA runs and who is liable for what.
Downstream: every vendor that touches PHI for you. If you hand PHI to a vendor so they can do work for you — cloud host, database, email, backups, analytics, support tooling — you need a signed BAA with each of them. A vendor in that path who won't sign one is a gap you must close or replace.
Upstream: every Covered Entity you serve. If you handle PHI on behalf of a clinic, hospital, or health plan, they need a BAA with you before they send you any PHI. Expect to be asked for it — a serious healthcare client will not onboard you without one.
Follow the subcontractor chain all the way down. BAAs flow down the entire chain. If your subprocessor uses their own subprocessor that touches PHI, a BAA is required at that link too. The chain is only as compliant as its weakest unsigned link — and that link is usually two vendors deep.
Sign it before PHI flows — not after. A BAA must be in place before any PHI moves. Backdating or signing after the fact does not cover the window when data flowed uncovered. If PHI is already moving without a BAA, treat that as an open incident, not a paperwork errand.

🛡️ The deeper fix · SideGuy builds it

A mapped PHI chain — not a folder of signatures

SideGuy is the operator layer that maps where protected health information actually moves through your stack — every vendor, every subprocessor, every link — and shows you which BAAs are missing, which are stale, and which vendors quietly fail what they signed. A signature folder is a checkbox. A mapped chain is the truth.

It starts with a $250 Operator Audit — an operator-honest read on your full PHI chain and BAA coverage. The first hour is free. Text PJ and we'll scope it.

📲 Text PJ — map my BAA chain

Common questions (answered honestly)

Who needs to sign a HIPAA Business Associate Agreement?

Any two organizations where one handles protected health information on behalf of the other. A Covered Entity signs one with each Business Associate; a Business Associate signs one with each subcontractor that also touches PHI. The agreement runs in whichever direction the PHI flows.

Do I need a BAA with AWS, Google Cloud, or my email provider?

If they store, process, or transmit PHI for you — yes. The major cloud providers offer a BAA you can execute. Email is the common miss: if PHI ever lands in email, the email provider needs a BAA, and most consumer email services will not sign one.

What happens if PHI flowed without a BAA in place?

That uncovered window is a compliance gap, and depending on what happened it can be a reportable event. A BAA signed afterward does not retroactively cover it. Treat it as an open incident: get the BAA signed now, and assess what was exposed.

How do I know my BAA chain is actually complete?

Map where PHI flows, vendor by vendor, including subprocessors. SideGuy's $250 Operator Audit does exactly that and tells you, operator-honest, where the chain breaks. Text PJ.

🏝️ More from NC SD

Encinitas· Cardiff-by-the-Sea· Solana Beach· Del Mar· Carlsbad· La Jolla· Compliance hub· AI Marketing Help