AI Trust & Security

HIPAA and AI: What a Business Associate Agreement Actually Means

Rafael MasJune 29, 20268 min read

When you use an AI tool with health information, a quiet but critical question hangs over the whole interaction: is there a legal agreement that actually obligates that vendor to protect your data? Under HIPAA, that agreement has a name, the Business Associate Agreement, and it is not optional. Yet many AI tools handling health-adjacent data operate without one, or without the chain of them that HIPAA actually requires. Understanding what a BAA is, and what it is not, is the difference between a tool you can responsibly use with health data and one you cannot.

Key Takeaways

  • HIPAA requires a Business Associate Agreement (BAA) between a covered entity and any vendor that handles protected health information (PHI).
  • When an AI tool processes PHI, every AI provider in the chain needs a BAA, not just the app you see.
  • A BAA is a legal contract, not a certification or a government seal. There is no official "HIPAA certified" stamp.
  • A company can be a Business Associate, bound by HIPAA obligations, without being a hospital or insurer.
  • Ask which providers a tool routes your data to, and whether each has an executed BAA, before trusting it with health information.

What HIPAA Actually Requires

HIPAA, the Health Insurance Portability and Accountability Act, sets rules for how protected health information is handled. It defines two key roles. A Covered Entity is a healthcare provider, health plan, or clearinghouse, the organizations at the center of the health system. A Business Associate is any vendor or partner that handles PHI on a Covered Entity's behalf: a billing company, a cloud host, an analytics provider, or an AI tool. The moment a Business Associate touches PHI, HIPAA requires a Business Associate Agreement to be in place.

The BAA is the contract that binds the vendor to HIPAA's obligations: safeguarding the data, limiting how it is used, reporting breaches, and ensuring that anyone they pass the data to is bound by the same terms. Without a signed BAA, a vendor handling PHI is not just careless, it is non-compliant by definition.

Why AI Makes the BAA Question Harder

Here is what makes AI different from a traditional vendor. When you send a prompt containing health information to an AI tool, that tool often does not run the AI model itself. It routes your request to a large language model provider, a foundation model running on someone else's infrastructure. So the data does not stop at the app you can see. It flows to the model provider behind it.

That means HIPAA compliance is not a single agreement, it is a chain. The app needs to be a Business Associate. And the AI model provider it routes to needs its own BAA, because PHI is reaching their systems too. If any link in that chain lacks a BAA, the chain is broken, and PHI is being processed by a party with no legal obligation to protect it. A tool can look polished and still have a hole in this chain that the user never sees.

The Question That Cuts Through It

Ask any AI health tool one question: which AI providers does my data reach, and do you have an executed Business Associate Agreement with each of them? A clear, specific answer is a good sign. A vague one is a warning.

What a BAA Is Not

It is worth being precise, because the language around HIPAA is often misused in marketing. A BAA is a contract. It is not a certification, and there is no government body that issues a "HIPAA certified" badge. When a product claims to be "HIPAA compliant," that is a self-assessment of its own practices, not a stamp granted by any authority. Real assurance comes from independent attestations like SOC 2 or HITRUST, and from the verifiable existence of the BAAs themselves, not from a logo.

Reading HIPAA Claims Honestly

  • "HIPAA certified" is not a real designation. No agency certifies HIPAA compliance.
  • "HIPAA compliant" is a self-description. Ask what specifically backs it.
  • A signed BAA is concrete and verifiable. Ask whether one exists for each data processor.
  • SOC 2 and HITRUST are independent attestations that carry real weight. Ask whether they are in place or on the roadmap.
  • Encryption in transit and at rest is a baseline expectation, not a differentiator.

How MiAngel Handles This

MiAngel operates as a Business Associate, which means it holds itself to HIPAA's obligations as a self-imposed standard wherever it processes protected health information. Crucially, it extends that discipline down the chain. Where PHI is processed, MiAngel routes only to AI providers covered by an executed Business Associate Agreement, currently two executed BAAs with its primary and failover AI providers, and excludes any provider from PHI handling until a BAA is in place. The point is not a badge. It is that the legal chain is actually intact, link by link.

MiAngel Middleware AI (GMAI) reinforces this at the technical level. Before any request reaches an AI model, GMAI verifies identity, checks consent scope, applies policy, and logs the interaction in a tamper-evident audit trail. So the question "who was allowed to access this data, and did they" has an answer that can be produced, not just asserted. SOC 2 attestation is on the roadmap as the formal, independent validation of these controls.

Architecture, Not Adjectives

HIPAA discipline is not a word you put on a homepage. It is a chain of signed agreements and an architecture that can prove who accessed what. MiAngel is built so the chain is real and the proof exists.

Frequently Asked Questions

Does every AI tool that touches health data need a BAA?

If it handles protected health information on behalf of a covered entity, yes. And so does every downstream AI provider it routes that data to.

Is there such a thing as HIPAA certification?

No. HIPAA compliance is not certified by any government body. Claims of being "HIPAA certified" are misleading. Independent attestations like SOC 2 and HITRUST are the real market signals.

Can a small startup be a HIPAA Business Associate?

Yes. Business Associate status is about the role you play in handling PHI, not your size. Any company processing PHI for a covered entity is a Business Associate and must meet the obligations.

What should I ask an AI health tool about HIPAA?

Ask which AI providers your data reaches, whether each has an executed BAA, whether data is encrypted in transit and at rest, and whether they hold or are pursuing independent attestations like SOC 2.

See what a real trust chain looks like.

Meet DeBrah