What a BAA Is, Precisely
A Business Associate Agreement is a contract required under HIPAA between a covered entity (your practice) and a business associate (any vendor that creates, receives, maintains, or transmits protected health information on your behalf). If a software vendor touches patient photos — and any AI smile simulation tool does — they're a business associate, and HIPAA requires a BAA before that relationship starts, not after.
What a BAA Must Actually Contain
- 1A description of the permitted and required uses of PHI by the vendor — what they're allowed to do with patient photos, and nothing beyond that
- 2A commitment that the vendor won't use or disclose PHI beyond what the agreement permits or the law requires
- 3A requirement that the vendor implement appropriate safeguards to prevent unauthorized use or disclosure
- 4A breach notification obligation — the vendor must report any unauthorized use or disclosure of PHI to your practice
- 5A requirement that any subcontractors the vendor uses agree to the same restrictions
- 6Provisions for returning or destroying PHI when the relationship ends
- 7The vendor's agreement to make records available to HHS if needed to determine compliance
A document missing several of these isn't a real BAA, whatever it's labeled — these aren't optional extras, they're the required contents.
Why "Available Upon Request" Is a Warning Sign
A vendor who only provides a BAA when a customer specifically asks for one is telling you two things: most of their customers probably haven't asked, and are therefore uploading patient photos without one, and the BAA isn't built into their standard onboarding — someone has to remember to request it, generate it, and get it signed before the account is actually in compliance. Every gap between "signup" and "signed BAA" is a window where patient photos are uploaded without one.
A vendor who builds the BAA into signup — required before the first upload — has made compliance the default rather than an opt-in someone has to remember.
Questions to Ask Before Signing
- Is the BAA required before I can upload my first patient photo, or is it a separate request?
- Does it name specific retention and deletion timelines, or vague "as needed" language?
- Does it disclose any subcontractors (e.g. cloud storage, AI processing providers) and confirm they're bound by the same terms?
- What's the breach notification timeline — hours, days, or unspecified?
- Who signs on the vendor's side, and is it the entity actually storing the data, or a reseller?
The Short Version
A BAA is a defined legal document with required contents — permitted use, safeguards, breach notification, subcontractor terms, and data return/destruction. A vendor should have one ready before you upload a single patient photo, not after you ask. If getting one requires a special request, that's worth treating as a signal, not a formality.