Doctor Rebrand Logo

The BAA Checklist: What Every Private Practice Needs Before Using Marketing Tools

A Business Associate Agreement is one of the most important — and most overlooked — documents in healthcare marketing. Here is what it is, who needs to sign one, and what to check before you use any marketing tool.

← Back to Blog
April 26, 2025 · by Doctor Rebrand

What Is a Business Associate Agreement?

A Business Associate Agreement, commonly called a BAA, is a legally required contract under HIPAA. It must be in place any time a covered entity — such as a physician's practice — shares Protected Health Information with a third-party vendor that handles that information on its behalf.

In plain terms: if you use a tool that may come into contact with your patients' data, and that tool is operated by an outside company, you need a BAA with that company before you start using it.

This applies to far more tools than most physicians realize — including many standard marketing platforms.

Who Qualifies as a Business Associate?

A business associate is any person or organization that performs a function or activity on behalf of your practice that involves access to PHI. This includes obvious parties like billing services and EHR vendors, but it also includes:

  • Email marketing platforms, if they send appointment reminders or any patient-specific communications
  • CRM systems that store patient contact records or inquiry history
  • Call tracking platforms that record or store patient phone calls
  • Web form tools that receive appointment requests or symptom-related inquiries
  • Chatbot or live chat tools embedded on your website
  • Any analytics platform that can connect user behavior to identifiable health information

The test is not whether PHI is intentionally shared — it is whether PHI could flow through the system during normal use. If it could, a BAA is required.

What a BAA Actually Does

A BAA does three things. First, it establishes that the vendor understands they may receive PHI and agrees to protect it under HIPAA standards. Second, it defines how the vendor may use that data — typically limiting it to the specific services they are providing to you. Third, it creates accountability: if the vendor causes a breach, the agreement defines their obligations to notify you and assist with remediation.

A BAA does not make a non-compliant tool compliant. This is a critical distinction. Signing a BAA with a vendor does not mean their platform is built to handle PHI safely. It means they have agreed to try. The technical and organizational safeguards the vendor has in place are a separate question — one worth asking.

Common Marketing Tools and Their BAA Status

This is where many practices are caught off guard. Some of the most commonly used marketing tools either do not offer BAAs at all, or only offer them on higher-tier paid plans.

Google Analytics — Google does not offer a BAA for Google Analytics in any standard configuration. This is one of the primary reasons its default use on healthcare websites is problematic.

Google Ads and Google Tag Manager — Google does not offer BAAs for its advertising products. Compliant use requires careful technical configuration to avoid PHI transmission, not a signed agreement.

Meta (Facebook) Pixel — Meta does not offer a BAA for its advertising pixel. Same situation as Google Ads — compliant use is a technical problem, not a paperwork one.

Mailchimp — Mailchimp explicitly states in its terms that it is not a HIPAA-compliant service and will not sign a BAA. It should not be used for any patient communications.

HubSpot — HubSpot offers a BAA for healthcare customers on certain plans. Confirm availability and plan requirements before use.

CallRail — CallRail offers a HIPAA-compliant plan that includes a BAA. It is not available on base-tier plans and requires specific configuration settings to be enabled.

Zoom — Zoom offers a BAA for healthcare providers through its healthcare-specific plan. Standard consumer Zoom accounts are not covered.

Typeform and standard web form tools — Most do not offer BAAs. If your website contact form asks about conditions, symptoms, or medications, this is a compliance gap.

The BAA Checklist

Before implementing any marketing tool at your practice, work through the following questions:

  • Does this tool receive or store any data submitted by patients or prospective patients? If yes, a BAA is likely required.
  • Does the vendor offer a BAA? If no, the tool should not be used in contexts where PHI may be involved.
  • Is a BAA available on your current plan, or does it require an upgrade? Many vendors offer BAAs only at enterprise pricing tiers.
  • Has the BAA actually been signed and executed? Availability is not the same as completion. Confirm the agreement is in place and on file.
  • Does the vendor's platform meet the technical safeguards HIPAA requires? Encryption at rest and in transit, access controls, and audit logging are minimum expectations.
  • What does the vendor do with your data beyond providing the service? Some platforms use customer data to train models or serve advertising. This is incompatible with a valid BAA.

One BAA Is Not Enough

A complete marketing technology stack for a private practice might include a website platform, an analytics tool, a call tracking service, a CRM, an email platform, a chat widget, and one or more advertising pixels. Each vendor that qualifies as a business associate needs its own BAA.

It is common for practices to have a BAA with their EHR vendor and assume that covers everything else. It does not. The BAA obligation follows the data, not the relationship.

How Doctor Rebrand Approaches This

When we build a marketing stack for a practice, we start with a compliance-first tool selection. That means evaluating each platform not just on functionality and cost, but on whether a BAA is available and whether the platform is genuinely built to operate in a regulated environment.

We maintain a working list of the tools we recommend and those we do not — based on their HIPAA posture, BAA availability, and how they handle healthcare data in practice. We also make sure that signed agreements are documented and that configuration settings required for compliance are actually enabled, not just assumed.

The Bottom Line

A BAA is not a formality. It is a legal requirement and a meaningful signal about how seriously a vendor takes data protection. If a vendor will not sign one, that is not a negotiating point — it is a disqualification for healthcare use.

Review every tool you currently use. Ask for the BAA. If it does not exist or cannot be produced, you have a compliance gap that needs to be closed — before a patient complaint, a regulator inquiry, or a data incident forces the issue.

Book Your Consultation

Ready to deploy your growth foundation? Let’s talk.

Privacy Guaranteed • Zero Data Sharing • Secure Transmission