Business associate agreements for non-clinical wellness apps
Wellness platforms partnering with healthcare providers keep signing BAAs without understanding what they are signing. The recent enforcement uptick is a useful prompt to look again.
A wellness platform that begins partnering with a hospital, a clinic group, or an employer-sponsored health plan will quickly be presented with a business associate agreement. The BAA is a standard HIPAA document. It is also a much heavier piece of paper than its routine appearance suggests. The recent uptick in HHS Office for Civil Rights enforcement against business associates is a useful prompt to read these agreements like the operating documents they are.
A business associate is, in HIPAA terms, a person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information. Wellness platforms that sit alongside clinical care, that store data the clinical team consults, or that perform analytics on identifiable patient populations are the most common cases I see in this audience. The threshold for becoming a business associate is the function performed, not the formal title of the relationship. A signed BAA documents the relationship; it does not create it.
The substantive obligations once the BAA is signed are not light.
The first is the safeguard requirements of the HIPAA Security Rule. Administrative, physical, and technical safeguards have to be implemented, documented, and tested. The wellness platforms that struggle here are the ones whose product was built for the consumer-facing market and whose security program was designed for that posture. The Security Rule expects a different shape of program: written policies, periodic risk analyses, incident response procedures, and documentation that demonstrates the program is operating, not just that it exists.
The second is the breach notification regime. A breach involving protected health information triggers notice obligations to the covered entity (typically within 60 days, often shortened by contract to a much tighter window) and parallel reporting up to HHS for breaches affecting 500 or more individuals. The 60-day window is the regulatory ceiling, not the operational target. Most BAAs in 2026 require business associate notice in 5, 10, or 15 days, and several recent enforcement actions have turned on the gap between the contractual window and the actual notification.
The third is the subcontractor flow-down. A wellness platform that uses cloud storage, analytics vendors, or any third party with access to protected health information must obtain a BAA from each of those vendors that imposes the same obligations downstream. This is the area where wellness platforms most often discover, on review, that their existing vendor contracts are inadequate. Renegotiating vendor contracts post-signing is doable but not free.
The practical takeaway is to treat the first BAA you sign as the moment your company’s compliance posture changes, not a routine vendor signature. The Security Rule expectations apply now. The breach notification windows apply now. The subcontractor flow-down applies now. The most common pattern in the enforcement actions I read is a wellness platform that signed a BAA in 2023 and built the operational compliance program in 2025, after the breach. Doing the work in the right order is much cheaper.