All notes

Do you actually need a BAA with your web team?

What a Business Associate Agreement covers, what it doesn't, and when it stops being optional.

The question usually arrives late. The site is built, the forms are live, and somebody in a compliance meeting asks whether the web company ever signed anything. Often the answer is no, and nobody is quite sure whether that is a problem.

Here is the plain-English version.

What a BAA actually is

A business associate agreement is a contract HIPAA requires between a covered entity, your practice, and any outside company that creates, receives, maintains, or transmits protected health information on your behalf. It commits that company to specific safeguards, to telling you when something goes wrong, to limits on what it may do with the data, and to holding its own subcontractors to the same terms.

It is a contract, not a certificate. No agency issues a BAA and nobody is “BAA certified.” Two parties sign one, and then they either live up to it or they do not.

The test is whether they touch the data

It has nothing to do with job titles or with whether a company thinks of itself as a healthcare vendor. It is about whether protected health information passes through something they run. On a practice website, that list is longer than most people expect:

  • The form, chat, or scheduling widget that receives what a patient types.
  • The hosting where a submission lands or is stored, even briefly.
  • The email service that carries the notification, if the notification contains the message itself.
  • Call tracking, when calls or transcripts are recorded and stored.
  • Analytics and advertising pixels running on pages where patients disclose why they are there. The OCR has addressed tracking technologies on health sites directly, and it is the exposure most practices are least aware of.
  • Backup and file-storage services holding a copy of any of the above.

If the honest answer for a vendor is “yes, patient data passes through this,” then the real question is not whether to get a BAA signed. It is whether that vendor should be in the path at all.

What a BAA does, and what it does not

A signed BAA means a company has committed, in writing and with consequences, to handle your patients’ information a particular way and to tell you promptly when it fails to. That is worth having. It is also frequently oversold, so it is worth being precise about the limits.

  • It does not move your liability. You are still the covered entity. A BAA gives you recourse against a vendor. It is not a shield you can stand behind.
  • It does not make an unsafe tool safe. Signing a document changes nothing about where the data physically sits.
  • It does not reach past what it names. An agreement with your form vendor says nothing about your host, your inbox, or the pixel on your homepage.
  • It is not a compliance program. Your policies, your training, your risk analysis, and everything happening inside the practice remain yours.

A BAA is a promise about how data will be handled. Architecture is what decides whether the promise can be kept.

So do you need one with your web team?

Ask one question: does anything a patient types, clicks, or uploads on our website reach a system this company built, chose, hosts, or administers? If the answer is yes, they are handling protected health information on your behalf, and the agreement is not optional. If the answer is genuinely no, which is rarer than it sounds, then they may sit outside it, and you should be able to say exactly why in one sentence.

The awkward middle case is the common one. A capable general agency, one that never thought of itself as a healthcare vendor, built a normal website with a normal contact form, and would decline to sign a BAA if you asked, because they know they could not stand behind it. That is an honest answer. It also tells you precisely where you stand.

How we handle it

We sign the BAA for the layer we build and run, and we keep that layer as small as it can be. Intake is captured in our HIPAA-compliant datastore, so your website never becomes the place patient data lives. From there the agreement runs end to end, and that includes the mailbox your team actually reads: we secure Google Workspace, Microsoft 365, and other providers under a BAA too. Fewer systems touch the data, and every one that does is under an agreement we can actually honor. We are engineers, not attorneys, so the wording of your agreements belongs with your counsel. Where your data goes belongs with us.

If you are not sure who has signed what, start by finding out where the data goes. That is what the free liability audit is for, and it costs nothing.

Start here

Find out if you’re exposed.

The free audit reads only what is publicly available: your live site, its forms, where a submission appears to go, and the third parties already riding along on the page. We never touch your systems, and all we need is your URL. You get your likely exposure in writing, at no cost.

Free · public information only · no access to your systems