If you need to be HIPPA compliant then you need a BAA.
HIPAA requires that you have a signed agreement with any contractor who is considered a business associate. The agreement lists obligations and responsibilities of both organizations pertaining to the protection and use of the protected health information. Each entity covered by HIPAA is required to have such a contract for each organization they do business with that falls under the definition of business associate.
If you are not sure if you need to be HIPAA compliant:
As required by Congress in HIPAA, the Privacy Rule covers:
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
- Business Associate's of Covered Entities (entities that process PHI for the three listed above - like Doxy.me!)