A BAA is required whenever a covered entity shares PHI with a third-party service provider, including email marketing vendors. This is especially important when email campaigns involve sending personalized health information, appointment reminders, or any other type of sensitive data.