Free for a week, then $19 for your first month
Expert Advice

Do You Need A BAA For Your AI Notes Tool? (Probably Yes)

Using AI for patient notes? Learn why a Business Associate Agreement is essential for HIPAA.

Dr. Danni Steimberg's profile picture
By  Dr. Danni Steimberg Dr. Danni Steimberg profile pictureDr. Danni SteimbergLicensed Medical Doctor

Dr. Danni Steimberg is a pediatrician at Schneider Children’s Medical Center with extensive experience in patient care, medical education, and healthcare innovation. He earned his MD from Semmelweis University and has worked at Kaplan Medical Center and Sheba Medical Center.

 , Licensed Medical Doctor
5 min read Expert Verified How is this page expert verified? At Twofold Health, we take the accuracy of our content seriously. "Expert verified" means our Clinical Advisory Board — practicing clinicians and industry experts — has thoroughly evaluated the article for accuracy, clarity, and relevance. They hold us accountable for delivering trustworthy resources clinicians can rely on. About our Review Board
Reviewed by  Dr. Dora Matis Dr. Dora Matis profile pictureDr. Dora MatisLicensed Medical Doctor

Dr. Dora Matis is a licensed medical doctor currently working as a psychiatrist and psychotherapist at a leading clinic in Germany. With a strong passion for mental health and holistic care, she combines clinical expertise with a compassionate approach to patient well‑being. Beyond her clinical practice, Dr. Matis is actively involved in medical research and has published several articles across various fields of medicine, reflecting her dedication to advancing medical knowledge and improving patient outcomes.
Do You Need A BAA For Your AI Notes Tool? (Probably Yes) Hero Image

You've just finished a patient visit. Instead of spending the next few minutes typing, you simply open an app on your phone, tap record, and the AI scribe generates a structured SOAP note for you. It's a game‑changer for productivity and burnout, but here's the critical question: what happens to that recording and the generated note after using the app?

If you're using a consumer‑grade transcription tool, the answer might be shocking. If that patient voices their symptoms, their personal identifiers could be stored on servers not designed for healthcare and could be accessible in a way that violates federal law. This isn't just a theoretical risk; it's a direct path to a serious HIPAA violation. The power of AI in healthcare is undeniable, but its safety hinges on a Business Associate Agreement. To utilize a HIPAA‑compliant AI scribe within your practice, it's essential to understand the importance of this document.

HIPAA 101: Covered Entities, Business Associates, and PHI

Before understanding the crucial role of a BAA, a clear grasp of the key players and terms defined by the Health Insurance Portability and Accountability Act (HIPAA) is needed.

Who is a Covered Entity?

In the world of HIPAA, a Covered Entity is the primary custodian of patient data. If you are a healthcare provider who conducts certain transactions electronically (like billing insurance), you are a Covered Entity. This includes:

  • Healthcare Providers: Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  • Health Plans: Health Insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid.
  • Healthcare Clearinghouses: Entities that process non-standard health information they receive from another entity into a standard format (or vice versa)

As a Covered Entity, you are directly liable and legally responsible for protecting your patients' PHI.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is any “individually identifiable health information” that is created, stored, or transmitted by a Covered Entity. It's a broad category defined by 18 specific identifiers.

  • Technical Definition: PHI refers to data that can be logically linked to a specific individual. This includes:
  • Common Identifiers: Names, addresses, dates (birth, admission, etc.), phone numbers, social security numbers.
  • Medical Identifiers: Medical record numbers, health plan beneficiary numbers.
  • Clinical Data: Diagnoses, treatment plans, lab results, medications.
  • Biometric Identifiers: Fingerprints, full-face photos.

Example for AI Scribes:

An audio file of a patient visit is itself a container of PHI. The moment your recording contains a patient's voice (a biometric identifier) and they state, “My name is John Doe and my back pain has been worsening since my last visit,” the entire audio file is considered PHI. The AI’s transcription of that audio file is also PHI. You cannot separate the clinical content from the identifiers in this context.

Who is a Business Associate?

A Business Associate is any vendor or individual who performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of PHI.

Think of them as an extension of your practice. Common examples include:

  • Medical billing companies.
  • Cloud storage providers (e.g., using AWS or Azure to store patient records).
  • Email marketing services that send patient reminders.
  • An AI scribe or medical note-taking service that processes patient audio, transcripts, or draft notes.

The critical link is this: If a vendor creates, receives, maintains, or transmits PHI for a covered function, they are a Business Associate. Your AI notes tool fits this description perfectly.

The Business Associate Agreement: The Cornerstone of Compliance

A Business Associate Agreement (BAA) is far more than a piece of paperwork; it is a legally binding contract required by HIPAA that formalizes the relationship between a Covered Entity and a Business Associate. It transforms the vendor relationship into an accountable partnership built on shared responsibility for data protection.

What Does A BAA Actually Do?

Think of a BAA as a rulebook that dictates exactly how a vendor must handle your patients' data. It legally obligates the Business Associate to the following core duties:

  • It outlines the permissible uses and disclosures of PHI.
  • It mandates that the Business Associate implement appropriate safeguards to protect PHI.
  • It requires the Business Associate to report any data breaches to the Covered Entity.
  • It ensures the Business Associate will not use or disclose PHI in a way that would violate HIPAA if done by the Covered Entity itself.

The “No BAA, No Deal” Rule for AI Tools

When it comes to HIPAA‑compliant AI notes that handle PHI, the rule is simple: if the vendor will not sign a BAA, you cannot use their service for patient care documentation.

  • Liability Shift: Using a tool without a BAA makes you, the Covered Entity, solely liable for any mishandling of PHI by that vendor. If the vendor suffers a data breach, and patient audio is leaked, you are responsible for the resulting fines and legal action.

Technical Safeguards A BAA Should Cover For An AI Scribe

A BAA is a promise of technical competence. When evaluating an AI vendor, you need to ensure their practices live up to the contract. Here are the critical technical areas a good BAA should explicitly cover.

1. Data Encryption: In-Transit and At-Rest

Encryption is the process of converting data into a coded format that is unreadable without a decryption key. For an AI scribe, this must happen in two states:

  • In-Transit: All data moving between your device and the vendor’s servers must be encrypted. This protects the information from being intercepted.
    • Look for the use of TLS (Transport Layer Security) 1.2 or higher.
  • At-Rest: All stored data must be encrypted while on the vendor's servers.
    • The industry benchmark is AES-256 (Advanced Encryption Standard wth a 256-bit key).

2. Secure Data Storage and Processing

Where and how your data is processed is just as important as how it's encrypted.

  • Compliant Infrastructure: The vendor should host all PHI within a compliant cloud environment like Amazon Web Services (AWS), Google Cloud Platform, or Microsoft Azure. These providers have dedicated servers configured for healthcare data.
  • Access Controls: The BAA should mandate strict access controls, ensuring that only authorized vendor personnel can access PHI, and only for specific, audited reasons.

3. AI Model Training and PHI

This is the most critical and unique clause for an AI tool. Many consumer AI services improve their product by using user data to train their models. This is a violation of patient privacy in a healthcare context.

  • The BAA Must Be Explicit: Your BAA must contain language that explicitly forbids the vendor from using your patients’ PHI to train, fine-tune, or improve their general AI models.
  • Purpose Limitation: The agreement must state that the data will be used solely for the purpose of generating your patient's note during that specific session.

A Practical Checklist for Choosing a HIPAA-Compliant AI Scribe

Before you integrate any BAA for AI notes, use this checklist to ensure you and your patients are protected.

1. BAA Availability and Execution

  • Does the vendor explicitly offer a Business Associate Agreement?
  • Have you received a fully signed copy from them?

2. Beyond the Signature

  • Does the BAA clearly prohibit the use of your PHI for model training?
  • Does it mandate specific security controls like encryption and breach notification?
  • Does it define the permitted uses of your data solely for providing the service to you?

3. Technical Architecture and Audits

  • Can the vendor provide documentation of their security practices, such as a SOC 2 Type II report?
  • Do they use enterprise-grade, compliant cloud infrastructure for all data processing and storage?

4. Data Processing

  • For vendors operating internationally or serving global clients, a Data Processing Agreement for regulations like GDPR is a strong indicator of a mature data privacy program.

5. Employee Training and Access Controls

  • Does the vendor ensure that all employees with potential system access undergo regular HIPAA and security training?
  • Do they enforce strict role-based access controls with multi-factor authentication?

Conclusion

Adopting an AI scribe shouldn't mean trading security for efficiency. The Business Associate Agreement isn't a barrier to innovation, but the foundation that makes responsible innovation possible. A signed BAA for AI notes provides the legal and technical assurance that your vendor protects patient data with the same rigor you do. This enables you to leverage AI’s power while fully protecting your patients and your practice.

If you're ready for an AI scribe that prioritizes compliance as much as you do, our HIPAA-compliant AI notes include a mandatory BAA and enterprise‑grade security. Get started today. 

References

Alder, S. (2024, January 15). What is SOC 2 in Healthcare? The HIPAA Journal.

Brown University. (2025). Protected Health Information. Division of Research.

CMS.gov. (2024, September 10). Health Insurance Portability and Accountability Act of 1996. CMS.

Fattah, M. A. (2023). AES 256 and How It Secures Our Data. Medium.

Jain, S. (2025). Understanding TLS 1.2 and TLS 1.3. Encryption Consulting.

Scytale. (2025). GDPR: What Is a DPA (Data Processing Agreement)?

Stanger, K. (2023, October 19). Business Associate Agreements: Requirements and Suggestions. Holland & Hart LLP.

U.S Department of Health and Human Services. (2024, August 21). Covered Entities and Business Associates. HHS.gov.

FAQ

Frequently asked questions

  • Can I use a free version of an AI transcription tool if I de-identify the data first?

    While this seems like a clever workaround, it is a high‑risk strategy not recommended for clinical use. True de‑identification under HIPAA is a complex process that needs all 18 identifiers removed. For audio recordings, this is difficult.

    • The Voice Is An Identifier: A patient's voice itself is considered a biometric identifier. De-identifying the audio file would require distorting the voice beyond recognition, which defeats the purpose of using a transcription service.
    • Contextual PHI: Even if you attempt to redact personal details from the text, the clinical context itself could be re-identifiable.
    • Liability Remains: The act of de-identification is your responsibility. If you make an error and PHI is exposed, you are solely liable. Using a tool with a BAA is far safer and a more practical approach.
  • What if my AI tool vendor is based outside the US?

    HIPAA applies to you, the Covered Entity in the US, regardless of where your vendors are located. If a foreign‑based vendor creates, receives, or maintains PHI on your behalf, they are acting as a Business Associate. You are still required to obtain a BAA with them to remain compliant.

  • We only use the tool for internal memos, not official patient records. Do we need a BAA?

    Yes. The determining factor is not the final destination of the information, but the nature of the content being processed.

    • PHI is PHI: if the internal memos contain any Protected Health Information, then the tool is processing PHI.
    • The Tools Perspective: The AI vendor has no way of knowing whether the audio it's transcribing is for an official record or an internal memo. From their perspective, they are handling data that contains patient identifiers and health information, which thus requires a BAA.
More

Continue reading