NPP vs BAA — What's the Difference
The Notice of Privacy Practices and the Business Associate Agreement are two HIPAA documents that address different risks. Here's the plain-language difference and when you need each.
By NPP Generator Research Team · Published Feb 28, 2026 · Last reviewed Apr 23, 2026
Two HIPAA documents, two different audiences
HIPAA requires covered entities to maintain two kinds of documents that get regularly confused:
- Notice of Privacy Practices (NPP) — faces patients. Describes how the covered entity may use and disclose PHI, what rights patients have, and how to complain. Required by 45 CFR § 164.520.
- Business Associate Agreement (BAA) — faces vendors. Binds a third party that handles PHI on the covered entitys behalf (EHR, billing, cloud storage, etc.) to HIPAA safeguard obligations. Required by 45 CFR § 164.504(e) whenever a covered entity engages a business associate.
Side-by-side comparison
| NPP | BAA | |
|---|---|---|
| Regulation | 45 CFR § 164.520 | 45 CFR § 164.504(e) |
| Audience | Patients | Vendors (business associates) |
| Purpose | Notice of rights and practices | Binding contract imposing HIPAA obligations |
| How many you need | One (updated on material change) | One per vendor relationship involving PHI |
| Signature | Good-faith acknowledgment from patient (direct-treatment only) | Both parties sign; not technically required in writing but universal in practice |
| Distribution | Post on website, provide at first visit, post at clinical site | Exchanged between covered entity and vendor; not public |
Common confusion
Healthcare buyers sometimes ask a SaaS vendor for "your NPP" when what they actually want is a BAA. Only covered entities have NPPs; business associates (vendors) do not have NPPs of their own (though they may have a privacy policy for their commercial product). Conversely, patients sometimes ask their doctor for a "BAA" when they want to see the NPP.
Which one do you need?
If youre a covered entity (provider, health plan, clearinghouse), you need both: an NPP for patients and a BAA with every vendor that touches PHI. If youre a vendor (business associate), you sign your customers BAA but dont produce an NPP yourself.
Generate your NPP in under 5 minutes
Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.
Start your NPP — $49First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →