A Business Associate Agreement (BAA) is a HIPAA-mandated contract that defines how a vendor (Business Associate) will handle protected health information (PHI) on behalf of a Covered Entity. Without a signed BAA, any vendor handling your PHI puts you in violation of HIPAA — regardless of how secure the vendor’s software is.
BAAs must cover: how PHI will be protected, breach notification timelines, what happens to PHI when the relationship ends, and that the vendor’s subcontractors are also bound by HIPAA. Every link in the data chain needs a BAA: if your portal uses AWS for hosting and SendGrid for email, both need BAAs with the portal vendor, who needs one with you.
See HIPAA Compliance.