Sign your Business Associate Agreement (BAA)

HIPAA requires a signed Business Associate Agreement between you (covered entity) and us (business associate) before we can handle PHI on your behalf. Sign electronically from Settings → Organization → HIPAA Compliance. Takes 2 minutes; valid for the life of your account.

Updated May 20, 20262 min read

If your practice handles Protected Health Information (PHI) — names, phone numbers, appointment details, medical questions, anything that identifies a patient and relates to their health — HIPAA requires a written agreement between you (covered entity) and us (business associate) before we can lawfully process that data on your behalf.

FrontDesk's BAA is the standard template you'd see from any HIPAA-compliant vendor, with our specific commitments around breach notification, subprocessors, and audit rights.

Where to sign

Settings → Organization → HIPAA Compliance tab.

This tab only appears for organizations whose business type is flagged as healthcare in our database (dental, medical, mental health, optometry, dermatology, chiropractic, veterinary, etc.). If you don't see it, your business type is non-healthcare and a BAA isn't required — see the FAQ above.

How to sign

Open Settings → Organization → HIPAA Compliance.
Read the BAA (the current version is BAA v1.0). You can also download the PDF for offline review or legal sign-off.
Scroll to the bottom and type your full legal name in the signature field.
Check the box confirming you have authority to sign on behalf of your organization.
Click Accept & Sign.

We record:

The accepted version of the BAA
Your name and email
Your IP address
The timestamp in UTC

Both sides retain a PDF copy. You can re-download anytime from the same page.

What the BAA covers

We will only use PHI to provide the FrontDesk service to you
We won't sell, share, or use PHI for our own marketing
Breach notification within 30 days of discovery
A current list of our subprocessors (Twilio for telephony, OpenAI/Anthropic for AI processing, AWS for infrastructure) — each has signed their own BAA with us
Your right to request an accounting of PHI disclosures
Return or destruction of PHI on contract termination

What you're still responsible for

A BAA covers FrontDesk's obligations as your vendor — it doesn't make your practice HIPAA-compliant by itself. You still need:

A privacy notice to patients
Internal security and access controls
Employee training
Your own BAAs with other vendors handling PHI

What's next

Frequently asked questions

Do I need a BAA?

If you're a HIPAA covered entity (most healthcare practices — dental, medical, mental health, optometry, chiropractic, etc.) and FrontDesk will handle any PHI for you, then yes. HIPAA requires the BAA before we can lawfully process PHI on your behalf.

What if I'm not a healthcare practice?

You don't need a BAA. The Sign BAA workflow only appears for organizations whose business type is marked isHealthcare. Non-healthcare businesses (med spas without medical procedures, salons, fitness, hospitality) skip this step entirely.

Is the e-signature legally binding?

Yes. We record the accepted version of the BAA, your name, email, IP address, and timestamp. Both sides retain a PDF copy. The signature is valid under the federal ESIGN Act and state e-signature laws.

What if my BAA needs custom terms?

Contact support to request a redlined BAA. Common adjustments (subprocessor lists, breach notification windows, audit rights) are negotiable on Ultimate plans.

Was this article helpful?

Still need help?

Our team replies fast. Or just ask the in-app Setup Assistant.

Contact support