Usually BAAs are required for IT vendors from healthcare companies before they start getting paid. It doesn't mean that they are claiming that their systems are HIPAA compliant