A BAA on every paid plan
The Business Associate Agreement is not a separate SKU, an enterprise upsell, or a sales negotiation. It is part of Solo, Professional, and Business — the same agreement, executed before any PHI moves.
A BAA on every plan — covering the whole inference path.
A Business Associate Agreement is the contract that lets you put protected health information into an AI tool. Most AI vendors will now sign one — but a BAA only covers the services it names, and most AI BAAs are drafted narrower than the way teams actually use the tool. HASP includes a BAA on every paid plan, and holds its own BAAs with the inference providers behind the platform, so one agreement covers the entire path your PHI takes.
What “BAA-included” means at HASP
“BAA-included” should mean the agreement is in place and it covers what you actually do. At HASP it means four specific things.
The whole inference path, covered
HASP holds its own BAAs with the inference providers behind the platform. Your single agreement with HASP covers every entity that touches a prompt — there is no model provider left uncovered.
PHI handling you control
Every prompt is checked for PHI before it reaches a model. Your organization sets the policy: send it through under your BAA, redact it first, or block the request. Redaction is a choice, never a default.
A record the BAA can stand on
Every prompt, response, and access event is written to an append-only, hash-chained audit trail. A BAA promises accountability; the audit trail is how you actually prove it.
A signed BAA is the floor, not the ceiling
Getting a vendor to sign a BAA has become easy. That is exactly why the signature is no longer the useful question. A BAA is a contract — it defines scope, and outside that scope it is silent. Most AI compliance failures are not missing signatures. They are signed agreements whose scope never matched the deployment.
This is the gap between a signed BAA and a compliant deployment — covered in depth in what a HIPAA BAA actually covers when AI is involved, and in the broader guide to HIPAA-compliant AI. The two questions buyers ask most often — whether ChatGPT is HIPAA-compliant and the same question for another leading AI assistant — both come down to the same thing: a BAA may be available, but does it cover the way your team actually works?
What a BAA actually has to cover
Before you call a deployment compliant, four things in the agreement have to be true — not assumed.
The AI service by name
A BAA covers the services it names — not the vendor's whole catalog. If the agreement names cloud infrastructure but the language model API is a separate product, your PHI is flowing through an uncovered service. The inference service has to be in scope explicitly.
Every sub-processor in the path
A prompt passes through more entities than the logo on your invoice. Each one that touches PHI is a potential business associate. Either your BAA names them, or your vendor holds BAAs with each — and your arrangement relies on that unbroken chain.
What happens to data after inference
A BAA should make clear that PHI is not used to train or improve a model, and that the prohibition extends to de-identified derivatives. “We don't train on your data” belongs in the agreement, not a support article.
The deployment, not just the product
If the BAA covers an enterprise tier but a staff member uses a consumer plan on the same device, that work is uncovered. Compliance needs the BAA scope and the actual data flows to match — which is an operational fact, not only a contractual one.
Working through this on a specific vendor is what the 20-point HIPAA AI vendor checklist is for.
The inference path most BAAs miss
A single AI request rarely stays with one company. Your application reaches the AI vendor; the vendor routes the prompt to an inference provider that runs the model; the response returns along the same path. Every hop that touches PHI is a potential business associate.
The most common quiet failure: a buyer signs a BAA with the AI vendor and assumes it covers everything, when the model provider behind the tool was never named anywhere. HASP removes that problem instead of handing it to you. HASP holds BAAs directly with its inference providers, so your one agreement covers the whole chain — and the sub-processor list documents every entity that processes data under it. Nothing in the path is left for you to track down.
Who this is for
- Clinics and practices that want to use AI on real patient records — not redacted fragments — without standing up the compliance layer themselves.
- Compliance officers who need the inference path documented end to end, with one agreement to review instead of a chain to audit.
- Legal and financial-services teams whose confidentiality obligations need the same vendor accountability HIPAA demands.
- Any team that has been told “we'll sign a BAA” and learned afterward that the BAA did not cover how they actually used the tool.
BAA-included AI: frequently asked questions
A Business Associate Agreement is the contract HIPAA requires before a covered entity shares protected health information with a vendor. The moment you send a prompt containing PHI to an AI tool, that tool's vendor — and every provider behind it — is handling PHI and needs to be under a BAA. Without one, the disclosure is a HIPAA violation no matter how good the output is.
A BAA is included on every paid plan — Solo, Professional, and Business — and on Enterprise. It is not a separate purchase or an upsell. Contact [email protected] to execute one.
Yes. HASP holds its own BAAs with the inference providers behind the platform, so your single agreement with HASP covers the full path a prompt takes. You do not have to track down or contract with a separate model provider.
No. With a BAA in place, PHI can flow to BAA-covered inference providers under that agreement — no redaction required to stay compliant. Redaction is a policy option your organization can choose for specific flows; it is never forced on you, and it is never what compliance depends on.
Yes. The HASP BAA is publicly viewable so your counsel can review it before any signature. Read it alongside the sub-processor list, which documents every entity that processes data under the BAA chain.
Get started
One BAA. The whole inference path. Real patient data.
Stop chasing a chain of agreements across a vendor and the model providers behind it. A BAA is included on every paid HASP plan and covers the full path your PHI takes. See the plans, or talk to our compliance team about executing one.