Does athenahealth sign a HIPAA BAA?

Yes. Athenahealth executes a Business Associate Agreement with covered entity practices. The BAA covers athenahealth's handling of PHI across its EHR, practice management, and revenue cycle services. It does not substitute for the patient-facing NPP the practice must provide under 45 CFR § 164.520.

Does athenahealth provide patient intake documents including an NPP?

Athenahealth's patient intake tools allow practices to send and collect forms electronically, but practices must supply the document content. Athenahealth does not include a pre-built, compliant Notice of Privacy Practices in its intake document library. Practices must produce their own NPP and upload it to the system.

What do I still need if I use athenahealth?

You still need a HIPAA-compliant NPP aligned to the HHS February 2026 model, posted on your public website, displayed at your office, and provided to each patient at first service. Athenahealth's BAA and infrastructure do not satisfy this requirement.

EHR & Vendor

Does Athenahealth Provide a Notice of Privacy Practices?

Q: Does athenahealth provide a Notice of Privacy Practices?

No. Athenahealth (athenaOne) does not provide a HIPAA Notice of Privacy Practices for your practice. Athenahealth signs a BAA and provides HIPAA-compliant EHR and RCM infrastructure, but the NPP — required by 45 CFR § 164.520 — is the covered entity's responsibility.

By NPP Generator Research Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026 · 4 min read

Key Takeaways

✓ Athenahealth does not produce a HIPAA Notice of Privacy Practices for your practice
✓ Athenahealth does sign a BAA — covering the vendor relationship with your practice, not patient-facing HIPAA notices
✓ AthenaOne's intake tools let practices send forms electronically, but practices must supply the NPP content
✓ The NPP obligation is the covered entity's regardless of which EHR or RCM platform it uses
✓ The February 16, 2026 deadline for the HHS revised model has passed — pre-2026 NPPs are out of compliance

Quick answer: No — athenahealth does not provide a HIPAA Notice of Privacy Practices. It signs a BAA and provides HIPAA-compliant EHR and revenue cycle management infrastructure, but the NPP — the patient-facing document required by 45 CFR § 164.520 — is your practice's responsibility to create, post, and maintain.

Athenahealth (operating its platform as athenaOne) is one of the larger EHR and revenue cycle management providers in the US, serving independent practices, small groups, and health systems. Its HIPAA compliance infrastructure is robust — but "HIPAA-compliant EHR" and "fully HIPAA compliant" are not the same thing. The Notice of Privacy Practices is a covered-entity obligation that no EHR satisfies on the practice's behalf.

What Athenahealth Provides

Business Associate Agreement. Athenahealth executes a BAA with covered entity customers, committing to HIPAA obligations for PHI processed through its EHR, RCM, and patient engagement services.
HIPAA-compliant EHR. Encrypted records, audit logging, role-based access controls, and secure transmission across athenaOne's modules.
Patient engagement tools. Online scheduling, patient portal, and digital intake forms. Practices build their own forms; athenahealth provides the delivery mechanism.
Revenue cycle management. Claims submission, eligibility checks, and billing — all through HIPAA-standard electronic transactions.

Athenahealth does not include a pre-built Notice of Privacy Practices in its intake form library or document templates. Practices using athenaOne must produce their own NPP and add it to the patient intake workflow.

What the NPP Requires

A compliant NPP under 45 CFR § 164.520(b) must include:

The HHS-prescribed header statement
Descriptions of permitted uses and disclosures (treatment, payment, operations)
Uses requiring patient authorization (psychotherapy notes, marketing, sale of PHI)
All eight individual patient rights
Covered entity duties to safeguard PHI
Complaint procedures (internal and to HHS OCR)
Privacy Officer contact information
Effective date — aligned to the HHS February 2026 model since the deadline passed February 16, 2026

What You Still Need if You Use Athenahealth

A compliant NPP aligned to the HHS February 2026 revised model
Public website posting of the NPP (athenahealth's patient portal alone is not sufficient)
Physical office posting at each service site
An acknowledgment-of-receipt process for new patients (athenaOne can collect this once you upload your NPP)

Frequently Asked Questions

Does athenahealth provide a Notice of Privacy Practices?▼

No. Athenahealth provides a BAA and HIPAA-compliant EHR and RCM infrastructure but does not produce a Notice of Privacy Practices. The NPP is a covered-entity obligation under 45 CFR § 164.520.

Does athenahealth sign a BAA?▼

Yes. Athenahealth executes a Business Associate Agreement with covered entity practices. The BAA governs athenahealth's handling of PHI — it does not satisfy the NPP requirement.

What's the difference between athenaOne and athenahealth?▼

Athenahealth is the company name. AthenaOne is the name of its integrated EHR, practice management, and RCM platform. Both refer to the same entity for BAA and HIPAA compliance purposes.

What happens if I don't update my NPP to the 2026 model?▼

Operating with a pre-February 2026 NPP is a HIPAA violation. OCR civil monetary penalties range from $137 to $68,928 per violation. See NPP compliance penalties for enforcement details.

Generate your NPP in under 5 minutes.

Upload the PDF to athenaOne's intake workflow, post it on your website, and you're covered. HHS February 2026 model. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available. See sample →