MH Scribe
HIPAA · COMPLIANCE

Why We Built Our BAA Into the Terms of Service

Published March 14, 2026

What Is a BAA and Why Does It Matter?

A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA whenever a healthcare provider shares protected health information (PHI) with a third-party service. If you use any software that touches patient data — scheduling tools, EHR systems, transcription services, or AI scribes — HIPAA requires a signed BAA between you and that vendor before any PHI changes hands.

The BAA defines what the vendor (the "business associate") can and cannot do with PHI. It establishes the safeguards they must maintain, their obligation to report breaches, and the conditions under which they may use or disclose patient information. Without a BAA in place, even the most secure software creates a compliance gap that can result in penalties ranging from $100 to $50,000 per violation.

The Traditional Approach: Separate Documents and Friction

Traditionally, signing a BAA involves a separate process from signing up for a service. You create your account, start exploring the product, and then at some point — maybe during onboarding, maybe buried in a settings page, maybe via an email from the vendor — you're asked to download, review, sign, and return a standalone BAA document. Sometimes this involves a PDF, sometimes a DocuSign link, sometimes an email exchange.

This creates real problems. The most common one is timing: clinicians start using the tool before the BAA is signed. They upload a transcript, record a session, or enter patient information — all before the legal agreement is in place. The compliance gap exists from the moment PHI touches the platform until the BAA is executed, and in practice, that gap can last days, weeks, or indefinitely if the clinician simply forgets to complete the separate signing step.

There's also the administrative burden. Solo practitioners and small practices don't have compliance departments tracking which vendors have signed BAAs. The separate-document approach adds friction that busy clinicians don't need — and the consequences of forgetting fall entirely on the provider.

Our Approach: The BAA Lives in the Terms

At MH Scribe, we took a different approach. Our Business Associate Agreement is embedded directly in Section 3 of our Terms of Service. When you accept the Terms — which happens when you create your account — you're simultaneously executing the BAA. There is no separate document to find, no PDF to download, no signature to chase down later.

This means compliance is immediate. From the very first moment you use MH Scribe, the BAA is already in effect. There is no gap between when you start using the platform and when the legal framework is established. Your HIPAA compliance obligations are met from day one.

What This Means for Clinicians

For the clinician, the embedded BAA eliminates an entire category of compliance work. You don't need to track down a separate agreement, file it for your records, or worry about whether it was countersigned. The Terms of Service — including the BAA — are always available at a permanent URL that you can reference for audits, credentialing, or insurance reviews.

If a payer, licensing board, or compliance auditor asks for your BAA with MH Scribe, you point them to Section 3 of the Terms. It's versioned, dated, and publicly accessible.

What Our BAA Covers

Our BAA addresses the core requirements that HIPAA mandates for business associate relationships:

Permitted uses and disclosures. PHI is used solely to provide the services you've engaged — generating clinical notes, billing code suggestions, continuity insights, and related features. We do not use PHI for marketing, advertising, or any purpose outside service delivery.
Safeguards. We maintain administrative, physical, and technical safeguards appropriate to protect the confidentiality, integrity, and availability of PHI. This includes encryption at rest and in transit, access controls, and audit logging.
Breach notification. In the event of a security incident involving PHI, we will notify affected covered entities in accordance with HIPAA breach notification requirements.
No model training on PHI. Your patient data is never used to train, fine-tune, or improve AI models. This is a contractual guarantee, not just a policy preference. Session transcripts and clinical notes are processed for your immediate use and are not fed back into any training pipeline.

Why This Is Becoming the Standard

The embedded-BAA approach is gaining traction across healthcare SaaS platforms, and for good reason. Modern cloud-based tools are self-service by design — clinicians sign up, accept terms, and start working within minutes. A separate BAA process introduces friction that conflicts with this model and creates compliance risk for the very users the regulation aims to protect.

By building the BAA into the Terms of Service, platforms like MH Scribe align the legal framework with the user experience. Compliance happens automatically, at the moment of account creation, without requiring additional steps that can be delayed or overlooked. It's simpler for clinicians, cleaner for auditors, and stronger for patient privacy.

References

  1. Business Associate Contracts. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  2. Summary of the HIPAA Security Rule. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  3. Breach Notification Rule. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
HIPAA Compliance From Day One

Read our Terms of Service (including the BAA), review our security practices, or use our HIPAA checklist to evaluate any AI documentation tool.