← Back to Blog

Hipaa Business Associate Agreement Guide

JW
Jennifer Walsh Healthcare Compliance Officer
March 31, 2026 · 6 min read

Business Associate Agreements (BAA) Explained: A Guide for Healthcare Practices

If your medical practice, dental office, therapy practice, or pharmacy shares patient information with any outside vendor, you almost certainly need a Business Associate Agreement (BAA) in place. Yet BAAs are one of the most commonly overlooked HIPAA requirements — and missing one can expose your practice to significant liability, even if the vendor is the one who causes a breach.

This guide explains what BAAs are, who needs them, what they must contain, and how to manage them without letting anything fall through the cracks.

What Is a Business Associate Agreement?

A Business Associate Agreement is a legally binding contract between a HIPAA covered entity (your practice) and a business associate (a vendor or contractor who handles protected health information on your behalf). The BAA establishes what the business associate is permitted to do with the PHI they access, what safeguards they must have in place, and what they must do if a breach occurs.

Under HIPAA, you cannot legally share protected health information with a business associate unless a BAA is in place. Full stop. It doesn't matter if the vendor is large and reputable, or if they've served your practice for years — without a signed BAA, every disclosure to them is a potential HIPAA violation.

What Is a Business Associate?

A business associate is any person or organization — outside of your workforce — that performs functions or activities involving the use or disclosure of PHI on behalf of your practice. This is broader than most practices realize.

Common Business Associates for Healthcare Practices

Billing and revenue cycle:

  • Medical billing companies
  • Coding services
  • Collections agencies that receive patient account information

Technology and software:

  • Electronic health record (EHR) vendors
  • Practice management software companies
  • Cloud storage providers used to store patient records
  • Email encryption services
  • Telehealth platforms
  • Patient communication and appointment reminder services

Clinical support:

  • Reference laboratories
  • Imaging centers (when sending reports back to you)
  • Transcription services

Administrative and legal:

  • Accounting firms that access financial records containing patient information
  • Attorneys handling matters that require reviewing patient records
  • Shredding and document destruction companies
  • IT service providers with access to systems containing ePHI

Who Does NOT Need a BAA

Not every vendor needs a BAA. Entities that don't handle PHI don't qualify as business associates. Examples:

  • Your janitorial service (no PHI access)
  • Office supply vendors
  • Your internet service provider (they transmit but don't access your data)
  • Couriers delivering sealed packages (no PHI access)

Healthcare providers who receive PHI for treatment purposes — a specialist you refer patients to, a hospital — are not business associates either. They're covered entities in their own right and operate under treatment purpose disclosures.

What Must a BAA Include?

HIPAA specifies the required elements of a valid BAA at 45 CFR § 164.504(e)(2). A compliant BAA must:

Establish Permitted Uses and Disclosures

The agreement must specify what the business associate is allowed to do with the PHI. For example, a billing company can use PHI to submit claims, but not to market other services to your patients.

Require Appropriate Safeguards

The business associate must agree to implement reasonable and appropriate safeguards to protect the PHI and prevent unauthorized use or disclosure.

Require Reporting of Breaches and Impermissible Disclosures

The business associate must agree to report any breach of unsecured PHI to your practice within required timeframes, as well as any use or disclosure of PHI that doesn't comply with the agreement.

Ensure Subcontractors Are Bound

If your business associate uses subcontractors who will access PHI, those subcontractors must also sign BAAs with your business associate. Your agreement should require this.

Require Cooperation With HHS

The business associate must agree to make their internal practices and records available to HHS for compliance audits.

Address Return or Destruction of PHI at Contract End

When the relationship ends, the agreement must address what happens to the PHI. Typically, the business associate must return or destroy it — and certify that they've done so.

When You Need a BAA: A Practical Framework

Ask yourself two questions about each vendor relationship:

  1. Does this vendor receive, create, maintain, or transmit PHI as part of the service they provide?
  2. Are they outside my practice's workforce?

If the answer to both is yes, you need a BAA before sharing any PHI.

Special Situations to Watch For

Cloud and SaaS vendors. Many practices assume that using a well-known platform (Google Workspace, Microsoft 365, Dropbox) doesn't require a BAA. It does — if you're storing or transmitting PHI through those systems. Google, Microsoft, and many major cloud providers do offer BAAs for healthcare customers, but you have to request and sign them. They don't apply automatically.

Telehealth platforms. Any telehealth platform through which clinical encounters occur must have a BAA with your practice. This includes video conferencing tools specifically used for patient care.

Patient communication apps. Appointment reminder services, patient messaging platforms, and post-visit survey tools that include patient names or health information are business associates.

IT contractors. If your IT support company can access your systems — even theoretically — you need a BAA with them.

Managing BAAs: The Tracking Problem

Most small practices have more business associates than they realize. A dental office might have:

  • EHR vendor
  • Dental billing service
  • Digital X-ray software company
  • Patient recall/reminder service
  • Cloud backup provider
  • IT support contractor
  • Shredding service

That's seven BAAs to track — and if any expire, are never signed, or aren't updated when the vendor's services change, you have a compliance gap.

Building a BAA Inventory

At minimum, maintain a log that tracks:

  • Vendor name and contact information
  • Date BAA was signed
  • Expiration date (if applicable)
  • Where the signed document is stored
  • Services provided and what PHI is shared

Review this inventory at least annually. Add new vendors before data sharing begins, not after.

What Happens If You Don't Have a BAA

Operating without required BAAs is a direct HIPAA violation. The consequences depend on the circumstances:

  • If a breach occurs and there's no BAA with the responsible vendor, your practice can share liability for the breach
  • OCR investigations triggered by complaints or audits specifically look for BAA gaps
  • Fines for missing BAAs can reach $10,000–$50,000 per violation category

More practically, if a business associate causes a breach and your agreement is incomplete or missing, your practice has far less legal recourse.

How HIPAAGuard Helps You Track and Manage BAAs

Keeping a current, complete BAA inventory across all your vendors is exactly the kind of ongoing administrative task that falls through the cracks in a busy practice. HIPAAGuard includes a built-in BAA management system that stores signed agreements, flags missing BAAs for new vendors you add, and sends reminders before existing agreements expire.

You also get access to a HIPAA-compliant BAA template you can customize for new vendor relationships — so you're not starting from scratch with a lawyer every time you onboard a new software tool.

Make sure every vendor relationship is covered. Get started with HIPAAGuard and complete your BAA inventory today — it takes less time than you think, and it closes one of the most common HIPAA compliance gaps small practices face.