The HIPAA rules require a BAA from every vendor third-party service provideryou a Covered Entity engages with use that will use, access, or disclose  could be exposed to your clients' PHI on its behalf.