If you need to be HIPPA compliant then you need a BAA.
HIPAA requires that you have a signed agreement with any contractor who is considered a business associate. The agreement lists obligations and responsibilities of both organizations pertaining to the protection and use of the protected health information. Each entity covered by HIPAA is required to have such a contract for each organization they do business with that falls under the definition of business associate.
Determine if you need to be HIPAA compliant
If you are any of the following things, then you need a BAA:
- Health plan
- Health care clearinghouse
- Health care provider who conducts certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers
- Business Associate's of Covered Entities (entities that process PHI for the three listed above - like Doxy.me!)
For more information about Business Associate Agreements please visit the U.S. Department of Health & Human Service website.