The phrase “HIPAA compliant” appears on the marketing page of nearly every healthcare technology vendor. It is also, on its own, legally meaningless.
I’ve spent years evaluating technology in regulated environments, and the pattern repeats: surface-level compliance claims substitute for actual accountability. In behavioral health, the thing that gives a covered entity real protection - the thing that HIPAA enforcement actually turns on - is a properly executed Business Associate Agreement (BAA) and the encryption, audit trails, and data-handling practices the BAA references.
The The Department of Health and Human Services (HHS) Office for Civil Rights has been clear, in published guidance and enforcement actions, that the BAA is the binding instrument. “HIPAA compliant” without a signed BAA is a marketing claim a covered entity cannot rely on.
What a BAA actually has to contain
The HHS published sample BAA provisions are detailed, but the structural requirements are consistent. A BAA must, at minimum:
- Establish the permitted and required uses of Protected Health Information (PHI) by the business associate.
- Provide that the business associate will not use or further disclose PHI other than as permitted or required by the BAA or by law.
- Require the business associate to use appropriate safeguards (administrative, physical, and technical) to prevent use or disclosure other than as permitted.
- Require the business associate to report any use or disclosure of PHI not permitted by the BAA, including any breach of unsecured PHI.
- Require that any subcontractors handling PHI agree to the same restrictions and conditions.
- Provide for termination of the BAA if the business associate violates a material term.
- Require the business associate to make their internal practices and records available to the Secretary for compliance review.
These are the structural minimums. They are necessary but not sufficient.
What practices should also verify
The minimum BAA terms are a floor, not a ceiling. For an AI-enabled vendor handling session audio, transcripts, or clinical content, several additional points deserve explicit contract language.
Data retention. How long does the vendor retain audio, transcripts, derived data, and metadata? Is the retention configurable? What is the deletion process at termination?
Training data use. Is patient audio or transcript content ever used to train the vendor’s machine learning models - or any third party’s models? “Anonymized” or “aggregated” use should be explicitly addressed. De-identification approaches have not always held up under modern re-identification techniques - this is a well-documented gap in the research literature.
Subcontractor flow-down. Where does data physically travel? Cloud storage providers, transcription providers, model-inference providers - each is a potential subcontractor, and each requires its own BAA flow-down. The practice should know who the chain ends with.
Acquisition and successor obligations. What happens to the data if the vendor is acquired, merged, or dissolved? Does the BAA bind the successor? This is not a hypothetical: vendor acquisitions in health tech have disrupted data governance structures in documented cases, and clinicians who raise this concern are right to.
Breach notification timelines. The HIPAA Breach Notification Rule sets minimums; some BAAs tighten them. The practice should know the actual timeline.
Audit and inspection rights. Can the practice inspect the vendor’s controls? On what notice? With what scope?
International data flow. Some vendors process data outside U.S. jurisdiction, which has implications for legal recourse and regulatory exposure.
Patient consent is a separate question
A BAA addresses the covered-entity-to-business-associate relationship. It does not address patient consent to recording or AI processing. For any practice using AI-assisted tools, patients should know what is being recorded, where it goes, how long it is retained, and what their right to refuse or revoke looks like. This is not bureaucratic overhead. It is what protects the patient, the practice, and the clinical relationship.
The honest version of the argument
“HIPAA compliant” is a marketing phrase. The BAA is the contract. The BAA is necessary but not sufficient.
Practices that take the difference seriously - by reading the BAA, asking the additional questions, and verifying the answers in writing before any patient data flows - operate at materially lower regulatory risk than practices that treat “HIPAA compliant” as a checkbox. Clinicians raising these questions are not being paranoid. They are being correct.
Sources & References
- U.S. Department of Health & Human Services. Business Associate Contracts: Sample Provisions.
- HHS. Summary of the HIPAA Privacy Rule.
- HHS. Summary of the HIPAA Security Rule.
- HHS. Breach Notification Rule.
- HHS Office for Civil Rights enforcement actions.
- Federal Trade Commission. Health Breach Notification Rule.
- NIST. Special Publication 800-66 - HIPAA Security Rule Resource Guide.
#HIPAA #BAA #BehavioralHealthTech #DataPrivacy #PracticeCompliance #DigitalHealth #ReliefAI
