Compliance Guide

BAA vs. NPP: Which HIPAA Document Do You Actually Need?

Q: What is the difference between a BAA and NPP?

A BAA (Business Associate Agreement) is a contract between a covered entity and a business associate (or between a BA and its subcontractors) that governs the BA's obligations with respect to PHI. An NPP (Notice of Privacy Practices) is a patient-facing document that a covered entity provides to patients explaining how it uses and discloses their PHI and what patient rights exist. The BAA is a B2B contract; the NPP is a B2C disclosure document.

Q: Do business associates need NPPs?

Generally, no. Business associates do not have direct relationships with patients and are not required to provide patients with NPPs. However, a BA that is also a covered entity (a 'hybrid entity' or dual-role organization) must provide NPPs in its covered entity capacity. Some patient-facing BA services (like patient portals) may choose to provide privacy notices, but this is not an NPP in the HIPAA regulatory sense.

Q: What CFR section governs BAAs vs NPPs?

BAA requirements are governed by 45 CFR § 164.504(e), which specifies the required provisions of a Business Associate Agreement. NPP requirements are governed by 45 CFR § 164.520, which specifies the required content, distribution, and posting of a Notice of Privacy Practices.

Q: Can one document serve as both a BAA and an NPP?

No. A BAA and an NPP serve entirely different purposes and are addressed to different parties. A BAA is a B2B contract with a vendor; an NPP is a patient-facing disclosure document. They have different required content, different signatories (BAA must be signed by both parties; NPP is distributed unilaterally), and different regulatory requirements. They cannot be combined into a single document.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: A BAA is a B2B contract with your vendors; an NPP is a B2C disclosure document for your patients. Most covered entities need both. Business associates typically need only the BAA (not an NPP). The two documents are governed by different CFR sections and cannot be combined.

One of the most common questions in HIPAA compliance is whether you need a BAA, an NPP, or both — and what exactly the difference is. The confusion is understandable: both documents relate to PHI, both are required by HIPAA, and both are commonly generated at the same time when a healthcare organization builds its compliance program. But they are entirely different in purpose, audience, and legal basis.

Side-by-Side Comparison

Factor	BAA (Business Associate Agreement)	NPP (Notice of Privacy Practices)
Who needs it	Covered entities with vendors; BAs with subcontractors	Covered entities with direct patient relationships
Who it's addressed to	The business associate (another organization)	Patients / individuals
What it does	Governs BA's obligations with respect to PHI	Informs patients how CE uses and discloses their PHI
Legal basis	45 CFR § 164.504(e)	45 CFR § 164.520
Who signs it	Both parties must sign	Distributed unilaterally; patient acknowledges receipt
When required	Before sharing PHI with any BA	At first service delivery; posted at physical locations
What happens without it	PHI disclosure to BA is a HIPAA violation	Privacy Rule violation; possible OCR investigation
Who it benefits	Covered entity (contractual protection) + BA (documented obligations)	Patients (transparency about privacy rights)

When You Need Both

Most healthcare providers, health plans, and other covered entities with direct patient relationships need both:

You need an NPP because you have a direct relationship with patients and are required to give them notice of how you handle their PHI under § 164.520.
You need BAAs because you rely on third-party vendors (EHR vendor, billing company, IT support, cloud storage) who access your PHI — and every one of those relationships requires a signed BAA under § 164.504(e).

A solo physician practice, for example, needs an NPP posted in the waiting room and given to new patients, and BAAs with its EHR vendor, billing company, answering service, and any other vendor with PHI access.

When You Need Only a BAA

Business associates typically need only BAAs — they do not have direct patient relationships and are not required to provide patients with NPPs. If you are a billing company, cloud storage provider, medical transcriptionist, or other healthcare vendor, your obligations are governed by your BAA with each covered entity you serve. You do not provide an NPP to patients.

Healthcare clearinghouses are covered entities but typically do not have direct patient relationships. They need BAAs with covered entities they serve but generally do not need to distribute NPPs directly to patients.

When You Need Only an NPP

This situation is uncommon in practice. A covered entity that operates entirely without third-party vendors who access PHI — which essentially no organization does today — would need only an NPP. In reality, virtually every covered entity has at least some vendors with PHI access (an EHR system, a billing service, even an email provider used for patient communications) and therefore needs BAAs as well.

Decision Flowchart

Work through these questions:

Are you a covered entity? (Healthcare provider, health plan, or clearinghouse — see our covered entities guide)
- If YES: proceed to question 2 and question 3.
- If NO but you handle PHI for a CE: you are likely a business associate — you need a BAA with the CE, not an NPP.
Do you have direct relationships with patients?
- If YES: you need an NPP. See NPPGenerator.com.
- If NO (clearinghouse): you likely do not need an NPP.
Do you use any vendors who have access to PHI?
- If YES (virtually all CEs): you need BAAs. See BAAGenerator.com.

If you are still unsure which category you fall into, take our HIPAA self-assessment quiz.

Frequently Asked Questions

What is the difference between a BAA and NPP?

A BAA (Business Associate Agreement) is a B2B contract between a covered entity and a vendor (or a BA and its subcontractor) governing the vendor's PHI obligations — required by 45 CFR § 164.504(e). An NPP (Notice of Privacy Practices) is a B2C disclosure document given to patients explaining how the covered entity uses their PHI — required by 45 CFR § 164.520. Both parties sign a BAA; an NPP is distributed unilaterally to patients.

Does every covered entity need both a BAA and an NPP?

Most covered entities with direct patient relationships need both. An NPP is required by § 164.520 for covered entities with direct patient relationships. BAAs are required by § 164.504(e) for any relationship where a vendor accesses PHI on the CE's behalf — which applies to virtually all covered entities that use any technology vendors.

Do business associates need NPPs?

Generally, no. BAs do not have direct patient relationships and are not required to provide NPPs to patients. A BA that is also a covered entity in a separate capacity must provide NPPs in that CE role. Some patient-facing BA applications may provide privacy notices voluntarily, but these are not NPPs in the regulatory sense.

What CFR section governs BAAs vs NPPs?

BAA requirements: 45 CFR § 164.504(e) — specifying required contractual provisions. NPP requirements: 45 CFR § 164.520 — specifying required content, distribution, and posting. These are distinct regulatory sections with no overlap in requirements.

Can one document serve as both a BAA and an NPP?

No. A BAA and NPP are fundamentally different in purpose, audience, and content. A BAA requires signatures from both parties; an NPP is distributed unilaterally. They cannot be combined. Any document that attempts to serve both functions would likely fail to satisfy either set of regulatory requirements.