The BAA as a Moat: HIPAA Business Associate Agreements in Healthcare Software Sales

Healthcare software founders often describe the execution of a HIPAA business associate agreement with a hospital system as a milestone. We treat it as a competitive signal — one of the most legible we have found in evaluating healthcare AI companies at Series A.

A BAA is a contract required under HIPAA between a covered entity (hospital, health plan, clinic) and a business associate (any company that handles protected health information on the covered entity's behalf). Executing a BAA requires the business associate to demonstrate that its technical and operational safeguards meet HIPAA's security and privacy requirements. For many companies, that means a security review, penetration testing documentation, incident response procedures, and — for companies handling clinical data — alignment with the Meaningful Use and USCDI data standards frameworks.

None of this is trivial. A health system's information security team reviewing a new AI vendor is not reviewing a standard enterprise SaaS contract. They are performing a risk assessment of a new node in their clinical data infrastructure. The first BAA typically takes six to eighteen months to negotiate and execute. Each subsequent one is faster as the company develops a compliance track record, but the initial crossing of this threshold is genuinely difficult.

This is why we treat the number of executed BAAs as a competitive signal, not just a compliance milestone. A company that has negotiated and executed three BAAs with different health systems has demonstrated that it can navigate the procurement, legal, and technical review processes that institutional healthcare buyers require. That is not a capability that a well-capitalized competitor can replicate quickly. The BAA track record is, in a meaningful sense, a moat — not because the contracts themselves prevent competition, but because the organizational capability to earn and maintain them takes years to build.

When we review healthcare AI companies, we want to understand not just whether they have BAAs, but the quality of the relationships those BAAs represent. A BAA from a rural critical access hospital is different from a BAA from a top-twenty academic medical center. Both are meaningful. The latter signals that the company has passed a more rigorous institutional review process and is trusted with a higher volume and complexity of clinical data.