Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

BAA vs NDA: What’s the difference and why it matters

Written by Tshedimoso Makhene | December 25, 2025

Healthcare organizations routinely share information with vendors, contractors, consultants, and service providers to deliver high-quality patient care. However, the type of agreement used to protect that information depends entirely on the nature of the data being shared. Two of the most common agreements in this space are the business associate agreement (BAA) and the non-disclosure agreement (NDA).

At first glance, they may appear similar since both deal with confidentiality. However, they serve different purposes, carry different legal obligations, and apply in different circumstances. Using one in place of the other can lead to costly compliance failures, particularly when protected health information (PHI) is involved.

 

What is a BAA?

A business associate agreement (BAA) is a legally binding contract required under the Health Insurance Portability and Accountability Act (HIPAA). It is signed between a covered entity and a business associate. Examples of business associates:

  • Email service providers
  • Cloud storage platforms
  • Billing companies
  • Medical transcription services
  • EHR vendors
  • IT security firms
  • Telehealth platforms
  • Data analytics companies

A BAA outlines the specific obligations a vendor has regarding the privacy and security of PHI. It ensures that both parties understand how PHI may be used, how it must be protected, and what must happen in the event of a data breach. HIPAA requires the BAA to:

  • “Ensure that the business associates will appropriately safeguard protected health information.” 
  • “Clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”

 

What is an NDA?

A Non-Disclosure Agreement (NDA) is a general confidentiality contract used to protect sensitive business information between two parties, “One that holds sensitive information and the other that will receive that sensitive information,” says Investopedia. It is not healthcare-specific and is not tied to HIPAA. Organizations use NDAs when sharing proprietary, strategic, or confidential information with employees, contractors, partners, or other third parties.

An NDA prevents one or both parties from revealing information outside the permitted scope. It protects trade secrets, intellectual property, internal documents, client lists, financials, and other sensitive business information.

Examples of NDA use cases:

  • Partnerships or collaborations
  • Product development discussions
  • Vendor evaluations
  • Hiring contractors or consultants
  • Sharing marketing, financial, or operational plans
  • Interviews involving sensitive information

NDAs are common across all industries, from tech to finance to pharmaceuticals, because they protect a broad range of confidential information.

 

Differences between a BAA and an NDA

While both agreements relate to confidentiality, their purpose, scope, and legal authority differ significantly. Understanding these differences ensures organizations stay compliant and avoid unnecessary risks.

 

Purpose

  • BAA: Protects PHI and ensures HIPAA compliance.
  • NDA: Protects general confidential or proprietary information.

 

Legal requirements

  • BAA: Required by federal law (HIPAA).
  • NDA: Not required by law; optional based on business needs.

 

When they are used

  • BAA: Used only when PHI is involved.
  • NDA: Used for business information unrelated to PHI.

 

Scope of protection

  • BAA: Covers security measures, breach notifications, permissible uses of PHI, subcontractor obligations, and compliance assurances.
  • NDA: Covers what constitutes confidential information, restrictions on disclosure, confidentiality duration, and legal remedies for violations.

 

Consequences of non-compliance

  • BAA: Violations may result in HIPAA penalties, fines, lawsuits, and reputational damage.
  • NDA: Violations may lead to civil litigation, financial damages, and termination of business relationships.

 

Complexity

  • BAA: Detailed, specific, and more extensive due to HIPAA requirements.
  • NDA: Shorter, simpler, and flexible.

 

What a BAA must include

HIPAA outlines several mandatory provisions that every BAA must contain, including:

  • Permitted and required uses and disclosures of PHI: The agreement must clearly establish how the business associate is allowed to use and disclose PHI. It should limit their actions to those necessary for providing services to the covered entity, or as required by law. 
  • Limitations on use and disclosure: The business associate must agree not to use or further disclose PHI in any way that isn’t permitted under the agreement or by law. This ensures they can’t exploit the data for unauthorized purposes. 
  • Safeguards to protect PHI: The BAA must require the business associate to implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure. This includes adhering to the HIPAA Security Rule for electronic PHI (ePHI)
  • Reporting of unauthorized uses and breaches: The business associate must commit to reporting to the covered entity any unauthorized use or disclosure of PHI, including breaches of unsecured PHI and security incidents they become aware of. 
  • Assistance with individual rights: The BAA must require the business associate to help the covered entity fulfill patients’ rights under HIPAA, including:
    • Providing access to PHI for individuals requesting copies;
    • Making amendments to PHI when needed;
    • Providing an accounting of disclosures. 
  • Compliance with Privacy Rule obligations: If the business associate is expected to carry out any obligations of the covered entity under the HIPAA Privacy Rule, the contract must explicitly require compliance with those requirements. 
  • Access for government audits: The business associate must agree to make its internal practices, books, and records relating to PHI available to HHS for compliance audits or investigations. 
  • Return or destruction of PHI at termination: At the end of the relationship, the BAA must require the business associate to return or destroy all PHI received or created on behalf of the covered entity, when feasible. If return or destruction isn’t feasible, the BAA should outline alternative protections. 
  • Subcontractor obligations: The business associate must ensure that any subcontractors who will have access to PHI agree to the same restrictions and conditions. This requirement ensures PHI remains protected throughout the service chain. 
  • Termination for cause: The covered entity must retain the right to terminate the BAA if the business associate violates a material term of the agreement, protecting the covered entity from ongoing exposure to non-compliance.

 

What an NDA typically covers

While the specific wording and structure of every NDA can differ depending on the situation, most well-drafted NDAs include several core components that define what information is protected and how it must be handled. 

  • Identification of the parties involved: An NDA must start by clearly identifying who the parties are—the disclosing party, which shares confidential information, and the receiving party, which agrees to protect it. NDAs can be unilateral (one party receives information), mutual (both parties share and protect information), or multilateral (multiple parties involved). 
  • Definition of confidential information: An NDA must, in detail, define what constitutes “confidential information.” This can be broad, for example, encompassing all non-public business data, or specific, such as particular files, strategies, or technical specifications. Clearly defining this scope is critical because it determines what information the NDA protects. 
  • Purpose and scope of use: The NDA should specify why the information is being shared and how it may be used. This prevents the receiving party from exploiting the information for purposes outside of the agreed context, such as using business plans for personal gain or sharing intellectual property with competitors. 
  • Obligations of the receiving party: The agreement must outline what the receiving party is required to do to maintain confidentiality. This typically includes keeping the information secure, limiting access to authorized individuals, and refraining from sharing or using the data beyond permitted purposes. 
  • Duration of the agreement: NDAs usually state how long the confidentiality obligations last. This can be a fixed time period (often one to five years) or extend indefinitely, especially for highly sensitive data like trade secrets. The duration should reflect the nature of the information and business needs. 
  • Exclusions and exceptions: Effective NDAs include exclusions from what is considered confidential, such as information already in the public domain, known prior to signing, or independently developed without reference to the disclosed data. These exceptions help avoid unfair or unenforceable restrictions. 
  • Consequences of breach: An NDA should clearly state the potential remedies and consequences if the agreement is violated. This may include financial damages, injunctive relief (a court order to prevent further disclosure), or legal costs, deterring unauthorized disclosure by making consequences explicit. 
  • Miscellaneous provisions: Many NDAs also include additional legal clauses, such as the governing law (which jurisdiction’s legal rules apply), notice requirements, and provisions addressing how disputes will be resolved. These help clarify legal rights and processes if enforcement becomes necessary.

 

Why a BAA cannot replace an NDA (and vice versa)

NDAs do not meet HIPAA’s requirements because they do not address the technical and administrative safeguards required to protect PHI. An NDA also doesn’t specify the mandatory breach notification process or PHI use limitations.

Similarly, a BAA alone will not protect other types of business information, such as pricing, contract terms, client lists, or proprietary methods. In many healthcare vendor relationships, both agreements are appropriate because they protect different types of information:

  • If PHI is involved, a BAA is mandatory.
  • If confidential business information is involved, an NDA is recommended.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQS

Who is considered a business associate under HIPAA?

Any vendor or third party that creates, collects, transmits, stores, or uses PHI on behalf of a covered entity. This includes email service providers, billing companies, EHR vendors, IT contractors, transcription services, and more.

 

Can a vendor sign both an NDA and a BAA?

Yes. Many healthcare organizations require both. The NDA protects general business information, while the BAA protects PHI and ensures HIPAA compliance.

 

Do BAAs apply outside of healthcare?

BAAs are specific to the U.S. healthcare industry under HIPAA. Other industries may use NDAs or specialized data-protection agreements, but BAAs are unique to PHI handling.

 

Should employees sign NDAs if their company has a BAA?

Employees don’t sign external BAAs, but they should sign internal NDAs or confidentiality agreements to protect non-PHI business information and reinforce privacy obligations.
View full post