Compliance

What a BAA Actually Covers (and Why "Upon Request" Isn't Enough)

A Business Associate Agreement is a specific legal document with required contents, not a checkbox a vendor can wave at with "we're HIPAA compliant." If you're evaluating dental software that touches patient photos, here's exactly what a BAA has to cover — and why a vendor who only offers one "upon request" is telling you something.

July 13, 2026 · 5 min read

What a BAA Is, Precisely

A Business Associate Agreement is a contract required under HIPAA between a covered entity (your practice) and a business associate (any vendor that creates, receives, maintains, or transmits protected health information on your behalf). If a software vendor touches patient photos — and any AI smile simulation tool does — they're a business associate, and HIPAA requires a BAA before that relationship starts, not after.

What a BAA Must Actually Contain

  1. 1A description of the permitted and required uses of PHI by the vendor — what they're allowed to do with patient photos, and nothing beyond that
  2. 2A commitment that the vendor won't use or disclose PHI beyond what the agreement permits or the law requires
  3. 3A requirement that the vendor implement appropriate safeguards to prevent unauthorized use or disclosure
  4. 4A breach notification obligation — the vendor must report any unauthorized use or disclosure of PHI to your practice
  5. 5A requirement that any subcontractors the vendor uses agree to the same restrictions
  6. 6Provisions for returning or destroying PHI when the relationship ends
  7. 7The vendor's agreement to make records available to HHS if needed to determine compliance

A document missing several of these isn't a real BAA, whatever it's labeled — these aren't optional extras, they're the required contents.

Why "Available Upon Request" Is a Warning Sign

A vendor who only provides a BAA when a customer specifically asks for one is telling you two things: most of their customers probably haven't asked, and are therefore uploading patient photos without one, and the BAA isn't built into their standard onboarding — someone has to remember to request it, generate it, and get it signed before the account is actually in compliance. Every gap between "signup" and "signed BAA" is a window where patient photos are uploaded without one.

A vendor who builds the BAA into signup — required before the first upload — has made compliance the default rather than an opt-in someone has to remember.

Questions to Ask Before Signing

  • Is the BAA required before I can upload my first patient photo, or is it a separate request?
  • Does it name specific retention and deletion timelines, or vague "as needed" language?
  • Does it disclose any subcontractors (e.g. cloud storage, AI processing providers) and confirm they're bound by the same terms?
  • What's the breach notification timeline — hours, days, or unspecified?
  • Who signs on the vendor's side, and is it the entity actually storing the data, or a reseller?

The Short Version

A BAA is a defined legal document with required contents — permitted use, safeguards, breach notification, subcontractor terms, and data return/destruction. A vendor should have one ready before you upload a single patient photo, not after you ask. If getting one requires a special request, that's worth treating as a signal, not a formality.

BAA required at signup, not on request.

$5 per simulation, no subscription.