Skip to main content
CoreFolioHIPAA
How-to

What is a business associate agreement, and who needs one?

A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.

5-minute read

Almost every small practice works with vendors who handle patient data. Your EHR vendor. Your billing company. Your IT managed service provider. The transcription service. The answering service. The cloud backup platform.

Each of those relationships requires a business associate agreement (BAA) — and the absence of one is a HIPAA violation, regardless of whether anything goes wrong.

What a business associate is

Under 45 CFR § 160.103, a "business associate" is a person or entity that performs a function or activity on behalf of a covered entity that involves the use or disclosure of protected health information (PHI) — or that provides services to a covered entity where the provision of those services involves the use or disclosure of PHI.

Translated: if a vendor can see, store, transmit, or otherwise touch your patients' health information as part of the work they do for you, they are a business associate.

Who is a business associate in practice

Most small practices underestimate how many business associate relationships they have. Common examples:

EHR vendor. Your electronic health record system stores all your patient data. The vendor — athenahealth, Epic, eClinicalWorks, Dentrix, RXNT, SimplePractice, or whichever you use — is a business associate. This is the most obvious one, and most reputable EHR vendors have a BAA available.

Billing company or clearinghouse. If you outsource billing, your billing company sees diagnosis codes, CPT codes, and patient identifiers. Business associate. Clearinghouses that process your claims also qualify.

IT managed service provider (MSP). If your IT provider has access to systems that store ePHI — even just to perform maintenance — they are a business associate. This includes remote monitoring tools that can see your servers.

Cloud backup service. If your backup includes any ePHI (and if you are backing up your EHR data or any system that touches patient information, it does), the backup provider is a business associate.

Answering service. Medical answering services that take patient messages involving PHI — symptoms, appointment requests, prescription requests — are business associates.

Transcription service. Audio recordings of patient visits that are transcribed by an external service involve PHI. Business associate.

Telehealth platform. If a third-party platform transmits audio or video of patient sessions (Zoom, Doxy.me, or a specialty telehealth product), that vendor is a business associate for those transmissions.

Who is not a business associate: A vendor who provides services that do not involve PHI. Your building landlord. Your office supply company. The payment processor who handles your merchant account (note: this is different from a billing company that handles insurance claims). A courier service transporting sealed lab specimens (the service itself does not access the contents).

What the BAA must contain

45 CFR § 164.504(e) specifies what a BAA must include. The required provisions:

  • Permitted uses. The agreement must specify how the business associate is permitted to use PHI — and limit use to only what is necessary.
  • Non-disclosure. The business associate cannot disclose PHI except as permitted by the agreement or required by law.
  • Safeguards. The business associate must implement appropriate safeguards to protect PHI.
  • Reporting. The business associate must report to you any use or disclosure not permitted by the agreement, and any security incidents (including breaches).
  • Subcontractors. If the business associate uses subcontractors who will access PHI, those subcontractors must also have BAAs with the business associate.
  • Return or destruction. At the end of the relationship, the business associate must return or destroy PHI.

Most reputable EHR vendors and billing companies have standard BAA forms. You sign theirs, or they sign yours — either way, the agreement needs to exist before the vendor accesses any PHI.

The BAA problem in practice

The most common BAA failures:

No BAA at all. The vendor was selected, the relationship began, and no one thought about the BAA. This is the most common scenario for IT providers, answering services, and cloud backup services.

Outdated BAA. The BAA was executed when the relationship began in 2018 and never updated. If the vendor's services have changed, or if the 2013 Security Rule's requirements were updated in your area (and the 2026 rule will change them further), an old BAA may not meet current standards.

Signed but not filed. The BAA exists in a vendor's system and was "completed" electronically, but there is no copy in the practice's records. When OCR asks for BAA documentation, you need to produce it.

Not covering all relationships. The BAA with the EHR vendor is in place, but the billing company, cloud backup, and IT provider never executed one.

What happens without a BAA

HIPAA does not require a breach to trigger a violation. Using a business associate who does not have a BAA in place is itself a violation of 45 CFR § 164.308(b)(1).

OCR investigations routinely include BAA review. Investigators ask for copies of BAAs with all current business associates. Missing BAAs add to the penalty calculation and, in some cases, are cited as a primary finding in their own right.

How to get a BAA with your EHR vendor

Most major EHR vendors have a BAA embedded in their service agreement or available on request through their compliance or legal department. The process:

  1. Check your existing service agreement — many signed service agreements include BAA language or reference a separate BAA document
  2. If not, contact your account manager or the vendor's compliance team and ask for their standard HIPAA Business Associate Agreement
  3. Review and countersign
  4. File a copy in your compliance documentation

Some vendors (Zoom, Google Workspace, Microsoft 365) offer BAA enrollment through a self-serve portal in your account settings.

How to audit your BAA coverage

For your annual risk analysis, you need a complete picture of your business associate relationships. The process:

  1. List every vendor who receives, stores, or processes PHI on your behalf
  2. For each vendor, confirm whether a BAA exists and file a copy
  3. For vendors without a BAA, initiate the process before the next risk analysis is complete
  4. Note the date of each BAA — outdated agreements should be reviewed and updated

The vendor relationship section of your risk analysis is the natural place to capture this inventory.

Sources: 45 CFR § 160.103 (definitions, business associate); 45 CFR § 164.308(b)(1) (business associate contracts); 45 CFR § 164.504(e) (business associate contract requirements); 45 CFR § 164.314 (business associate contracts and other arrangements).