Glossary
BAA (Business Associate Agreement)
A contract under HIPAA between a covered entity and any third party that handles PHI on its behalf, defining each party's responsibilities for protecting that data.
A Business Associate Agreement (BAA) is a contractual prerequisite for a covered entity (clinic, payer, health system) to share PHI with a third party. The BAA defines what the business associate may do with the data, the safeguards they must maintain, the breach notification timelines, and the audit rights of the covered entity.
For software, a BAA is the gating question for vendor selection. AWS offers a BAA covering a defined list of HIPAA-eligible services. So does Azure. So does Google Cloud. The list is narrower than the full service catalog — for example, on AWS, Lambda, S3, RDS, DynamoDB, Bedrock, and Polly are HIPAA-eligible; some niche services are not.
In AI projects, the BAA question recurs at each layer: the embedding endpoint, the LLM endpoint, the vector database, the logging service, the analytics pipeline. Every service that touches PHI needs to be on the BAA list, or PHI must be excluded from that path. There is no middle ground — "we anonymize before sending" is a defensible pattern only if the de-identification meets HIPAA's Safe Harbor or Expert Determination standards, both of which have specific technical requirements.
Related terms
HIPAA-Aligned AI
AI systems designed so that protected health information (PHI) flows only through HIPAA-eligible services, with audit logging, access controls, and BAA coverage end-to-end.
PHI (Protected Health Information)
Any health information that can be linked to an individual — names, dates, addresses, medical record numbers, biometric identifiers, and 18 specific identifier types under HIPAA.