How Do I Set Up a BAA with an AI Vendor?
To set up a BAA with an AI vendor, first confirm they're willing to sign one at all, then request their standard Business Associate Agreement template, review it for PHI handling, subprocessor disclosure, and breach notification terms, and execute it before any patient data touches their systems. Many popular AI vendors, including the standard tiers of OpenAI, Anthropic, and Google, won't sign a BAA unless you're on an enterprise plan. If a vendor won't sign, you can't legally send them PHI.
Why getting this wrong is a HIPAA violation, not just a paperwork gap
A BAA isn't a formality. Under HIPAA's Privacy and Security Rules, any vendor who receives, stores, or processes protected health information on your behalf is a Business Associate. You're required to have a signed agreement in place before that data relationship begins. No BAA means no legal authorization for the vendor to touch PHI, full stop.
The common mistake healthcare SMBs make is assuming that because a vendor is SOC 2 Type II certified or claims to be 'HIPAA-ready,' a BAA is automatically in place. It isn't. Certification and compliance posture are separate from a signed legal agreement. You need both.
The actual steps to execute a BAA with an AI vendor
Start by asking the vendor directly: 'Do you sign Business Associate Agreements, and under which plan?' Many vendors only offer BAAs at enterprise tiers with custom contracts. OpenAI's BAA is available under their enterprise agreement. Google Cloud offers a BAA that can cover Vertex AI. Microsoft's BAA under HIPAA covers Azure services including certain Copilot deployments, but the terms matter. Get the answer in writing before you build anything.
Once you have their template, review these four things before signing. First, confirm the agreement explicitly covers the specific services you'll use, not just the vendor's platform in general. Second, check the subprocessor list. If their model inference runs on a third-party cloud that isn't also under a BAA, you have a gap. Third, verify breach notification timelines. HIPAA requires notification within 60 days of discovery. Make sure the vendor's contract matches or beats that. Fourth, confirm data retention and deletion terms. You need to know how long they store inputs, whether they use your data for model training, and how to request deletion.
After review, negotiate any terms that don't meet your requirements, then execute the agreement with authorized signatures on both sides. File a copy. Log the effective date. Don't let any PHI flow until that date is confirmed.
When the process gets more complicated
If you're using a multi-vendor AI stack, you need a BAA with each vendor in the chain that touches PHI. This includes your LLM provider, any vector database storing embeddings of patient records, your telephony layer if you're running AI voice agents (Twilio, for example, offers a BAA), and any integration middleware. One signed BAA with your primary AI vendor doesn't cover the rest of the stack.
If you're deploying a private LLM on your own infrastructure or a dedicated cloud instance, the BAA dynamic shifts. You may be signing with a cloud provider like AWS or Azure rather than an AI model company, since the model runs inside your own environment. That's actually cleaner from a compliance standpoint, and it's the architecture we prefer for HIPAA-regulated clients.
How we handle BAAs at Usmart
For healthcare clients, we build private LLM deployments rather than routing PHI through public APIs. That means the compliance boundary sits inside your infrastructure or a dedicated instance, and the BAA is typically with your cloud provider, not with a model company that has unclear data retention practices. We sign a BAA ourselves as a Business Associate before any project work begins on HIPAA-regulated systems.
We also audit the full vendor stack before deployment. If a client wants to use an external API for any part of the workflow, we flag every vendor in that chain that would need its own BAA and help them work through each agreement. We've done this across healthcare, finance, and real estate deployments from our Dallas base. The BAA process is rarely the bottleneck when it's handled before architecture decisions are locked in.
Ready to see it working for your business?
Book a free 30-minute strategy call. We will scope your use case and give you honest numbers on timeline, cost, and ROI.