Compliance
What Is a BAA? HIPAA for Therapy Practices
Business Associate Agreement explained for US psychologists — when you need one, what it covers, and how it fits into full HIPAA compliance.
Updated June 12, 2026 · 5 min read
A Business Associate Agreement (BAA) is a contract required under US HIPAA when a vendor handles protected health information (PHI) on behalf of a covered entity or their practice. If you are a US psychologist storing client names, session notes, or billing with diagnoses in cloud software, you almost certainly need a BAA with that vendor before go-live.
Who needs a BAA?
- Private psychology and therapy practices storing PHI electronically
- Vendors that store, transmit, or process PHI (cloud EHR, practice management, telehealth)
- Not typically needed for pure payment processors that only handle card numbers without health context
PsycSuit signs a BAA with US HIPAA-covered practices at activation. Overview: BAA page.
What a BAA usually covers
- Permitted uses of PHI — only for providing the service to your practice
- Safeguards the vendor must maintain
- Breach notification to your practice
- Subcontractor (subprocessor) flow-down requirements
- Return or destruction of PHI at contract end
- Your right to audit or obtain vendor compliance information
A BAA does not make you fully compliant alone
HIPAA compliance is shared: the vendor’s BAA covers their obligations; your practice still needs policies, training, individual logins, device security, and client rights processes.
Outside the United States
FAQ
- When must a therapy practice sign a BAA?
- Before storing PHI in a cloud vendor that handles data on your behalf — typically at activation, not after months of live client data.
Try PsycSuit in your practice
Scheduling, clinical notes, PHQ-9 & GAD-7, billing, client portal, and telehealth in one Practice OS. Free trial after approval — no card required to apply.