Konrad Logo

HIPAA Compliance, Simplified

Don't sign a BAA blind! Konrad uses AI-powered tools built by experienced lawyers to protect Business Associates from signing unfair, risky, or non-compliant BAAs.

Counterparty BAA Review

Get the most comprehensive assessment available of a Covered Entity BAA using Konrad's lawyer-developed AI review tool.

2026 BAA Update

New Feature! Get your signed BAAs and templates up-to-date with the 2026 HIPAA update. Rewrites and adds the necessary elements to keep your BAAs HIPAA-compliant.

Automated SRA Tool

Coming soon! Build a 2026 HIPAA-compliant Security Risk Assessment tailored to the specifics of your organization.

How Konrad Works

No monthly subscription required!

Pay-as-you-go or pre-purchase credits

Create an account and receive your 10 credits free!

Counterparty BAA Review

5 credits

Includes:

Full analysis for BA of BAA

Customizable list of recommended changes

Generated email draft

2026 BAA Update

2 credits

Includes:

List of changes to existing BAA

Make BAA compliant with 2026 HIPAA changes

Automated SRA Tool

10 credits

Coming soon!

History and Timeline of the BAA under HIPAA

Key milestones in the evolution of Business Associate Agreement requirements and HIPAA compliance standards.

1996
HIPAA Statute Enacted
No BA term yet (direction to issue rules).
CDC
2000
Privacy Rule Final
BA concept + mandatory BAAs (164.502(e), 164.504(e)).
Federal Register
2002
Privacy Rule Modifications
Keep BA framework; adjust contract/monitoring details.
GovInfo
2003
Security Rule Final
Security obligations & BA contracts for ePHI (164.308(b), 164.314(a)).
GovInfo
2009
HITECH Act
Direct liability for BAs; breach-notification regime.
HHS.gov
2013
Omnibus Rule
Implements HITECH; expands BA definition (includes subcontractors; "create/receive/maintain/transmit"), sets 9/23/2013 compliance date.
GovInfo
2016-2022
OCR Guidance
CSPs are BAs (even "no-view").
HHS.gov
Today
Current CFR
CFR text at 45 CFR 160.103, 164.502(e), 164.504(e), 164.308(b), 164.314(a) reflects the above.
eCFR

State Law Tracker

While compliance with HIPAA is the basic requirement for all Business Associates, it is worth keeping in mind that state laws can supersede HIPAA when they provide greater privacy protections for individually identifiable health information. Curated information on how state laws specifically impact Business Associates can be found in Konrad's interactive State Law Tracker below.

Real-time Updates

Get notified when state healthcare laws change.

State Analysis

Detailed breakdown of state-specific BAA requirements.

United States Healthcare Law TrackerMassachusettsMinnesotaMontanaNorth DakotaHawaiiIdahoWashingtonArizonaCaliforniaColoradoNevadaNew MexicoOregonUtahWyomingArkansasIowaKansasMissouriNebraskaOklahomaSouth DakotaLouisianaTexasConnecticutNew HampshireRhode IslandVermontAlabamaFloridaGeorgiaMississippiSouth CarolinaIllinoisIndianaKentuckyNorth CarolinaOhioTennesseeVirginiaWisconsinWest VirginiaDelawareDistrict of ColumbiaMarylandNew JerseyNew YorkPennsylvaniaMaineMichiganAlaska

Click on a state to view details

State information will appear here

Why Choose Konrad for BAA Compliance?

Streamline your Business Associate Agreement compliance with AI-powered tools designed specifically for healthcare regulations.

HIPAA Expertise

Built by compliance experts with deep understanding of healthcare regulations

BAA Benchmarking

Compare your BAAs against industry standards and best practices

Audit Ready

Generate compliance reports and documentation for regulatory audits

Lightning Fast

Review BAA documents in minutes, not hours or days