The BAA your call tracker won't sign — and why it matters
If a vendor touches patient phone numbers, names, or messages, you need a Business Associate Agreement. Most lead and call-tracking tools refuse to sign one. Here's why that's a problem for medical practices.
A Business Associate Agreement (BAA) is the contract that lets a vendor legally handle protected health information (PHI) on your behalf. For a medical practice, it isn’t optional paperwork — it’s the line between a compliant vendor relationship and a reportable exposure.
Phone numbers and names are PHI
There’s a common misconception that PHI only means charts and diagnoses. In a practice context, a phone number tied to a person seeking treatment is identifiable health information. The moment a lead or call-tracking tool stores “this person called about a hair transplant,” it’s handling PHI.
Why the trackers say no
Most mainstream call-tracking and lead-capture tools are built for general business — plumbers, law firms, e-commerce. Signing BAAs means accepting HIPAA liability, building encryption and audit controls, and limiting how they use your data. It’s easier for them to simply decline, which quietly disqualifies them for any practice that takes compliance seriously.
What “compliant by design” actually requires
A platform that handles practice leads responsibly should, at minimum:
- Encrypt PHI at rest — phone numbers, names, and message contents stored encrypted, not in plain text.
- Keep an append-only audit log — every access and change recorded, nothing silently editable.
- Sign a BAA — and stand behind it with real controls, not just a signature.
- Minimize what it stores — for example, transcribing calls instead of warehousing raw audio.
PracticeKit was built for practices from the first commit: PHI encrypted at rest, an append-only audit trail, and a BAA we’ll actually sign. If your current tracker won’t put that in writing, it’s worth asking what happens to your patients’ data when it does.