When a hospital sends a patient's discharge instructions out to be translated into Spanish, or a clinic forwards a Vietnamese-speaking patient's intake records to a vendor, that organization is doing something with real legal weight: it is disclosing protected health information (PHI) to a third party. Whether that disclosure is lawful — and whether it exposes the organization to a six- or seven-figure penalty — comes down to a single question most people never think to ask: is the translation vendor HIPAA-compliant, and is there a signed Business Associate Agreement in place?
This guide explains what HIPAA-compliant medical translation actually means, why a Business Associate Agreement (BAA) is non-negotiable, what Section 1557 of the Affordable Care Act adds on top of HIPAA, and how healthcare compliance officers should vet a language services vendor before a single record changes hands.
Why HIPAA Applies to Translation at All
HIPAA — the Health Insurance Portability and Accountability Act — governs how covered entities (hospitals, clinics, health plans, and their providers) handle protected health information. PHI is any individually identifiable health information: a name attached to a diagnosis, a date of birth on a lab report, an address on a consent form.
The moment a covered entity hands PHI to an outside company to perform a service on its behalf, that company becomes a business associate. Translation and interpretation vendors are explicitly the kind of service provider HIPAA had in mind. A translator reading a patient's operative report to render it in Arabic is handling PHI just as surely as a billing company or a cloud storage provider.
This is the part organizations miss most often. Emailing a patient's records to a bilingual staff member's cousin, pasting them into a free web translator, or using an offshore vendor with no compliance program in place are all disclosures of PHI — and if there's no BAA and no safeguards, each one is a potential HIPAA violation independent of whether the data is ever actually breached.
The Business Associate Agreement (BAA) Is Mandatory
Under 45 CFR 164.502(e), a covered entity may not disclose PHI to a business associate unless it first obtains "satisfactory assurances" — in writing — that the business associate will appropriately safeguard the information. In practice, that written assurance is the Business Associate Agreement.
A proper BAA for a translation vendor should, at minimum:
- Define the permitted uses and disclosures of PHI (translation and interpretation services only)
- Require the vendor to implement administrative, physical, and technical safeguards under the HIPAA Security Rule
- Require the vendor to report any security incident or breach to the covered entity
- Extend the same obligations to any subcontractors (e.g., individual linguists)
- Require return or destruction of PHI when the engagement ends
No BAA, no PHI. If a translation vendor cannot or will not sign a Business Associate Agreement, they cannot lawfully touch your patients' records — full stop.
The financial stakes are real. HIPAA civil penalties are tiered by culpability and, as adjusted for inflation, run into the tens of thousands of dollars per violation, with annual caps in the millions. The absence of a BAA has been a recurring theme in Office for Civil Rights (OCR) enforcement settlements — organizations have paid substantial settlements specifically for disclosing PHI to vendors without one in place.
Section 1557: The Rule That Makes Medical Translation Non-Optional
HIPAA tells you how to handle PHI safely. Section 1557 of the Affordable Care Act tells you that you must provide language access in the first place.
Section 1557 prohibits discrimination on the basis of national origin — which includes limited English proficiency (LEP) — in any health program or activity that receives federal financial assistance (which covers the vast majority of hospitals and clinics that accept Medicare or Medicaid). It requires covered health programs to:
- Offer qualified interpreters for spoken-language encounters
- Provide qualified translators for written materials
- Avoid relying on patients' family members or minor children to interpret
- Not rely on unqualified staff or unreliable machine translation for clinical communication
The 2024 update to the Section 1557 regulations specifically addressed machine translation, making clear that when machine translation is used for critical documents, a qualified human translator must review the output. Taken together, HIPAA and Section 1557 mean healthcare organizations need language services that are both secure and clinically qualified — you cannot satisfy one obligation by violating the other.
Why Free Machine Translation Fails on Both Counts
It's tempting to drop a discharge summary into Google Translate. Don't. Free and consumer machine translation tools fail healthcare organizations in two distinct ways:
1. They are a HIPAA breach risk
Public machine translation services do not sign BAAs. Many reserve the right to store, log, and use submitted text to improve their models. Pasting a patient's PHI into one of these tools is an unauthorized disclosure to a vendor with whom you have no agreement — a textbook HIPAA problem.
2. They are a patient safety risk
Machine translation makes errors that a bilingual staffer skimming the output will not catch, and in medicine those errors have consequences. A widely cited study of emergency department discharge instructions found machine translation was accurate roughly 80–90% of the time depending on the language — meaning a meaningful fraction of instructions contained errors, some with the potential to cause harm (for example, mistranslating dosing frequency or "do not" instructions). "Take once daily" and "take eleven a day" are one bad token apart.
The problem isn't that machine translation is always wrong. It's that it's confidently wrong in ways no one on your staff is positioned to catch — on documents where being wrong hurts patients.
Translation vs. Interpretation: You Almost Certainly Need Both
These two services are frequently conflated, but Section 1557 treats them separately, and so should your language access plan.
| Translation | Interpretation | |
|---|---|---|
| Medium | Written documents | Spoken language, real time |
| Healthcare examples | Consent forms, discharge instructions, lab results, medication guides, patient portals | Physician visits, triage, telehealth, phone follow-ups |
| Common formats | Certified document translation | On-site, over-the-phone (OPI), video remote (VRI) |
| Section 1557 term | Qualified translator | Qualified interpreter |
A patient's spoken appointment needs a qualified interpreter (OPI or VRI); their written discharge packet needs a qualified translator. Meeting one requirement doesn't satisfy the other. Learn more about our language access services for healthcare organizations.
Accreditation Pressure: The Joint Commission Is Watching
Beyond HIPAA and Section 1557, accredited hospitals face a third layer of expectation. The Joint Commission's standards require that patient communication needs — including language — be identified and met, and that the organization document how it does so. Surveyors increasingly ask to see the language access plan, interpreter usage logs, and evidence that vital documents are available in the languages of the community served. We cover this in depth in our guide to Joint Commission 2026 language access requirements.
How to Vet a HIPAA-Compliant Medical Translation Vendor
Before you send a single record, put a prospective vendor through this checklist:
- Will they sign a BAA? This is the gate. If the answer is anything but an immediate yes, stop.
- What safeguards protect PHI in transit and at rest? Look for encrypted file transfer, access controls, and no PHI in plain email.
- Are the translators qualified for medical content? Ask about medical specialization, ATA certification where applicable, and terminology QA.
- Do subcontractors sign downstream BAAs? Individual linguists handling PHI must be bound by the same obligations.
- How is PHI handled when the project ends? There should be a defined return-or-destroy process.
- If machine translation is used at all, is there mandatory human review? Post-editing by a qualified translator is what keeps machine-assisted workflows compliant with the 2024 Section 1557 rule.
- Can they meet clinical turnaround? Discharge instructions that arrive after the patient goes home don't help anyone.
What Taika Provides
Taika Translations executes a Business Associate Agreement with every healthcare client before any PHI is shared. Medical translation is handled by qualified, credentialed linguists with healthcare terminology expertise, PHI moves through secure encrypted channels rather than open email, and any machine-assisted workflow includes mandatory human review by a qualified translator. Standard turnaround for common clinical documents is 24–48 hours, with rush and same-day options for many language pairs. As a veteran-owned, ATA-member LSP serving all 50 states in 300+ languages, we help hospitals, clinics, and health plans satisfy HIPAA, Section 1557, and Joint Commission expectations at once.
If your organization handles patient information in more than one language, the safest next step is simple: get the BAA in place before you need it.