HIPAA Business Associate Agreement

Last updated: 2026-04-11

What a BAA is

A Business Associate Agreement (BAA) is a contract required by HIPAA §164.502(e) when a HIPAA-covered entity or business associate discloses Protected Health Information (PHI) to another business associate that will create, receive, maintain, or transmit PHI on its behalf. The BAA establishes the permitted uses and disclosures of PHI, the safeguards that must be maintained, breach notification obligations, and the remedies available to the covered entity.

Any Backbuild customer that processes PHI through the platform must execute a BAA with Backbuild before loading PHI into the service. This is a legal requirement, not a commercial choice.

When a BAA is required

A BAA is required whenever the customer is a HIPAA-covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) or a business associate downstream of one, and the customer will use the Backbuild platform to process, store, or transmit PHI. If the customer does not process PHI, a BAA is not required.

HIPAA-aligned controls

Backbuild implements technical, administrative, and physical safeguards aligned with the HIPAA Security Rule. Key controls include:

• Encryption of PHI in transit and at rest.
• Role-based access control with least privilege enforced down to the database layer.
• Multi-factor authentication for administrative access.
• Tamper-evident audit logging of access to PHI.
• Seven-year audit log retention.
• Backup, disaster recovery, and business continuity procedures.
• Vendor management and sub-processor review.
• Incident response procedures including breach notification timelines.

For a full description of HIPAA alignment, see the HIPAA compliance page.

How to obtain a BAA

1. Email security@backbuild.ai with your company name and a brief description of the PHI use case.
2. Backbuild will respond with the standard BAA document for review.
3. Once countersigned by both parties, the BAA becomes part of the contract. PHI may then be loaded into the platform under the agreed terms.

Pricing

Backbuild does not charge a premium for HIPAA support. BAAs are free for all customers and are not limited to a "HIPAA tier" or an enterprise plan. Customers on any paid plan can request and execute a BAA.

Review time

Standard BAA requests are processed within five business days from receipt of a complete request. Requests for negotiated or customized terms may take longer and are handled on a case-by-case basis.

Scope and customer responsibilities

The BAA applies to PHI that the customer chooses to process through the platform. The customer remains responsible for its own HIPAA obligations, including the lawful basis for processing PHI, administrative safeguards within the customer's organization, and any obligations that arise from the customer's own covered-entity or business-associate relationships.