HIPAA Business Associate Agreement (BAA)
Also: BAA, business associate agreement
A HIPAA Business Associate Agreement (BAA) is a contract required under HIPAA before any vendor may receive, process or store Protected Health Information (PHI) on a covered entity's behalf; with no signed BAA, no PHI may go into that tool.
HIPAA (the US Health Insurance Portability and Accountability Act) requires that any 'business associate', a vendor that creates, receives, maintains or transmits PHI on behalf of a healthcare provider, insurer or their contractors, sign a Business Associate Agreement before it touches that data. The BAA obligates the vendor to specific safeguards and breach-notification duties, and makes it directly liable under HIPAA rather than just contractually to its customer.
Why it matters most for AI
For AI tools specifically, this matters because a huge share of AI adoption in healthcare-adjacent settings is unofficial: a clinician trying a transcription app, a practice manager summarising intake forms with a chatbot. If the vendor hasn't signed a BAA, putting PHI through that tool is a HIPAA violation regardless of how good the tool's underlying security is: the BAA is the legal gate, not a formality.
Usually a paid-tier feature
Signing a BAA is usually restricted to a vendor's paid business or enterprise tier; free and consumer tiers of the same product frequently do not qualify, even when the vendor offers a BAA at all. That is why 'does this tool sign a BAA' and 'on which plan' are two separate questions, and both need a sourced answer, not an assumption based on the product's general reputation.
Who offers one
Some vendors are explicit that they don't offer a BAA at all: Otter.ai has stated publicly it is not HIPAA compliant and does not sign BAAs. Others, like OpenAI, Anthropic, Google and Microsoft, do sign a BAA on their business or enterprise tiers. Always confirm the current position from the vendor's own trust center before assuming either way. ModelCharter's HIPAA compliance hub and the AI Tool Risk Directory record which tools offer a BAA and on which tier.