Back to Docs/Compliance and Security

Compliance and Security

BAA Management

A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and any vendor that handles protected health information on its behalf. The HIPAA Basic add-on gives Vilulia organizations a built-in BAA tracking system where you can record each vendor BAA, track renewal dates, and monitor coverage status — all from the compliance dashboard. The platform BAA between your organization and Vilulia is signed directly in the dashboard.

What you'll learn

  • What a BAA is and why HIPAA requires one
  • How to sign the platform BAA
  • How to add and track a vendor BAA in Vilulia
  • How BAA status affects your compliance score
  • How renewal reminders work

Signing the platform BAA

Before PHI can flow through Vilulia, a tenant admin must sign the platform BAA. To sign it, go to Settings → HIPAA Complianceand complete the BAA signing form. Required fields are the signatory's name and email address, and explicit agreement to the BAA terms. The platform records the signatory name and email, the signing timestamp, and creates a BAA record with a 3-year validity period (the standard HIPAA BAA renewal period). Signing is idempotent — submitting the form a second time returns the existing signed date rather than creating a duplicate record.

The platform BAA must be in place before the HIPAA Enhanced secure messaging feature will accept messages. If the BAA lapses or is revoked, secure messaging endpoints return HTTP 403.

What the BAA tracker records

Each vendor BAA record in Vilulia stores:

  • Vendor name: the name of the business associate.
  • Vendor type: classification of the vendor (for example, covered_entity, business_associate).
  • Status: one of pending, signed, active, expired, terminated, or under_review.
  • Effective date: the date the BAA takes effect.
  • Expiry date: the date the BAA expires or requires renewal.
  • Signed date: the date the agreement was signed.

BAA and the compliance score

BAA status is one of four domains that contribute to your HIPAA Compliance Score. The BAA domain is worth up to 25 points, allocated as follows: 5 points for having at least one BAA, up to 10 points proportional to the percentage of BAAs that are active or signed (expired BAAs reduce this), 5 points if no BAAs expire within 60 days, and 5 points for having the platform BAA signed. See HIPAA Compliance Score for the full scoring breakdown.

Accessing BAA management

BAA status is displayed as a summary card on the HIPAA Compliance dashboard (Settings menu → HIPAA Compliance). The dashboard shows the count of active, total, and expiring-soon BAAs and links to action items. The HIPAA Basic add-on must be active to access this section.

Related articles

Can't find what you're looking for? Contact Support

Having trouble with this feature?

Visit the Support Center for troubleshooting guides and how-to articles.

Go to Support Center →