HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify

Any vendor that handles ePHI on your behalf is a business associate requiring a BAA before you transmit patient data. Here is the regulatory basis, which tool categories always need one, and how to find and verify a BAA with any vendor.

By CoreFolio

Published June 4, 2026Verified June 4, 20267-minute read

Every tool in a modern healthcare practice — email, cloud storage, telehealth platform, secure messaging, billing software, backup service — potentially touches electronic protected health information (ePHI). Before any of those tools can be used for patient data, the regulatory question is the same: does this vendor require a business associate agreement (BAA)?

The answer depends on what the vendor does with the data, not what category of tool it is. Understanding the legal test — and how to verify BAA status for any vendor — is more durable than any list of which specific products currently offer agreements.

The regulatory basis

The BAA requirement flows from two provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rules:

45 CFR § 164.308(b)(1): A covered entity must have a written contract or arrangement with any business associate that will create, receive, maintain, or transmit ePHI on the covered entity's behalf.
45 CFR § 164.504(e): That contract must contain specific required provisions — including that the business associate will use appropriate safeguards, report breaches, and return or destroy PHI at termination.

The definition of business associate is in 45 CFR § 160.103. The test is functional: does this entity handle ePHI on your behalf as part of performing a service for you? If yes, they are a business associate and a BAA is required before you transmit any patient data to them.

Tool categories that consistently require BAAs

The following categories of tools meet the business associate test in nearly every implementation. Before using any of them with patient data, confirm a BAA is in place:

Electronic health record (EHR) and practice management platforms. Your EHR creates, maintains, and transmits ePHI as its core function. Most major EHR vendors execute BAAs as part of standard onboarding. If yours has not offered one, request it in writing before entering any patient data.

Medical billing and revenue cycle services. A billing service receives claim data containing patient diagnoses, procedure codes, and identifiers — ePHI transmitted to payers on your behalf. A BAA is required.

Email platforms. If you use your email provider to send or store unencrypted ePHI — patient communications, referral summaries, lab results — the provider is handling ePHI on your behalf and requires a BAA. Providers that offer BAAs typically offer them only on paid commercial or enterprise tiers; consumer and free-tier plans do not. Verify at the vendor's own HIPAA or legal documentation page before use.

Cloud storage and backup services. Any service that stores or synchronizes files containing ePHI — patient documents, imaging files, practice records — is a business associate. Consumer-tier storage plans typically do not offer BAAs; business and enterprise tiers of major platforms often do. Confirm directly with the vendor for your specific plan.

Telehealth and video visit platforms. A telehealth platform transmits session content — potentially including diagnoses and treatment discussion — and may store recordings. A BAA is required before conducting any clinical session. Platforms specifically designed and marketed for clinical use typically offer BAAs; consumer video platforms generally do not. Verify with the vendor before scheduling any patient sessions.

Secure messaging and clinical texting services. An application used to transmit ePHI between staff, or between providers and patients in a clinical context, is handling ePHI and requires a BAA. Standard SMS carriers and consumer messaging applications do not offer BAAs. Purpose-built clinical messaging platforms typically do.

IT support and managed service providers. An IT company with remote access to systems containing ePHI — whether for routine maintenance, support tickets, or network management — has the ability to access patient data and is a business associate. A BAA is required before granting that access.

Cloud-based billing, scheduling, and referral tools. Any software-as-a-service tool that processes patient data as part of its function requires a BAA, regardless of how incidental that data handling seems.

Tool categories where a BAA is not required

Not every vendor in a practice's technology stack requires a BAA:

Payment processors that handle only credit card transaction data, not patient health information, are not business associates for HIPAA purposes. If the payment system does handle ePHI (for example, associating a payment with a diagnosis code), that changes the analysis.
Internet service providers and telecommunications carriers transmitting data as a conduit — without accessing or storing the content — fall under an exception in the business associate definition. They must be functioning as a pure conduit with no incidental access to the content.
Vendors with access only to de-identified data are not business associates for the data they receive, because de-identified data is outside HIPAA's scope.

When in doubt, assume a BAA is required. The cost of executing an unnecessary BAA is low; the cost of operating without a required one is a regulatory violation under 45 CFR § 164.308(b)(1) regardless of whether a breach occurs.

How to verify BAA status with any vendor

Because vendor BAA terms and availability change, no third-party source — including this article — is a substitute for checking the vendor's own current documentation. The right process:

Go to the vendor's official HIPAA or compliance page. Most vendors that offer BAAs maintain a dedicated page, typically under "Legal," "Security," "Privacy," or "Compliance." Common titles: "HIPAA Business Associate Agreement," "Business Associate Amendment," "Healthcare Data Addendum," or "Data Protection Addendum."
Confirm which service tiers are covered. BAA availability frequently varies by plan level. A vendor may offer a BAA only on paid business or enterprise tiers. Confirm that your specific plan is eligible before relying on the BAA.
Execute the BAA before transmitting ePHI. A BAA that is executed after data has already been transmitted does not retroactively cure the violation. The agreement must be in place first.
Add the executed BAA to your vendor inventory. Your risk analysis (45 CFR § 164.308(a)(1)(ii)(A)) should include every vendor with ePHI access, with BAA execution date and covered service noted.
Review the BAA when you change plan tiers. If you upgrade or downgrade your plan, confirm that BAA coverage applies to the new tier.

The shared responsibility model

A signed BAA shifts contractual responsibility to the vendor for their infrastructure security — but it does not shift your obligation to configure the service correctly. For every tool in your practice:

Access controls must be configured to limit ePHI access to authorized users only
Encryption must be enabled where the service supports it and your risk analysis indicates it is required
Audit logging must be turned on and reviewed on a documented schedule
External sharing settings must restrict ePHI to authorized recipients

A BAA with incorrect configuration settings is not a safe harbor. OCR consistently finds in resolution agreements that the covered entity configured the tool incorrectly even when a BAA was present.

When a vendor will not sign a BAA

Some vendors, particularly consumer platforms and small SaaS tools not built for healthcare, will not execute a BAA. Your options:

Find an alternative vendor that will sign. For most common tool categories — email, cloud storage, video — there are healthcare-specific alternatives or enterprise tiers of major platforms that do offer BAAs.
Encrypt before transmitting. If the data reaching the vendor is encrypted and the vendor has no access to the encryption keys, the vendor is not handling ePHI — they are handling ciphertext. This can remove the BAA requirement for that specific data flow, but only if the encryption is robust and the keys genuinely stay with you. Get advice on this approach before relying on it.
Do not use the service for ePHI. If neither of the above works, the tool cannot be used for ePHI. Using it anyway is a violation under 45 CFR § 164.308(b)(1).

Sources: 45 CFR § 160.103 (definition of business associate); 45 CFR § 164.308(b)(1) (BAA requirement); 45 CFR § 164.504(e) (required BAA provisions); HHS sample BAA provisions, hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions. Last verified June 4, 2026.

FAQ

Common questions

Which technology vendors always require a HIPAA BAA?

Any vendor that creates, receives, maintains, or transmits electronic protected health information (ePHI) on your behalf is a business associate and requires a BAA under 45 CFR § 164.308(b)(1). In a typical practice this includes: your EHR vendor, practice management platform, billing service, email provider (if you send unencrypted ePHI through it), cloud storage or backup service that holds patient data, telehealth platform, secure messaging platform, and your IT support company if they can access systems containing ePHI.

How do I find out whether a vendor offers a HIPAA BAA?

Go to the vendor's own current legal or compliance documentation — typically a page titled 'HIPAA compliance,' 'Business Associate Agreement,' or 'Data Protection Addendum.' Do not rely on third-party comparisons for this information; vendor BAA availability and terms change, and only the vendor's own published documentation reflects current policy. If you cannot find it, contact the vendor directly and ask whether they offer a BAA and on which service tiers.

Does a signed BAA mean the vendor's service is HIPAA compliant?

No. A BAA is a contractual commitment about how the vendor will handle ePHI — it does not substitute for correct configuration of the service itself. The vendor is responsible for securing their infrastructure; you remain responsible for configuring access controls, encryption settings, audit logging, and appropriate-use policies correctly. A BAA with incorrect configuration is not a safe harbor.

What if a vendor will not sign a BAA?

If a vendor will not execute a BAA and you need to transmit or store unencrypted ePHI through their service, you cannot use that service for ePHI. Operating without a required BAA is a violation under 45 CFR §§ 164.308(b)(1) and 164.504(e), regardless of whether a breach occurs. Your options are: find an alternative vendor that will sign, or encrypt the data before it reaches the vendor so they have no access to unencrypted ePHI.

Do I need a BAA with my patients' email provider when they email me?

No. When a patient initiates communication with your practice and has been informed of the risks of using unencrypted email or messaging, you may honor that preference without a BAA with the patient's provider. The BAA requirement applies to your vendors — entities that handle ePHI on your behalf — not to patients exercising their right to communicate with you.

Keep learning

How-to
Who needs a HIPAA business associate agreement?
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
May 20, 20266-minute read
How-to
What must a HIPAA business associate agreement include?
A HIPAA BAA is not just a signature on a template — 45 CFR § 164.504(e) specifies the exact provisions it must contain. Here is every required element, the common drafting gaps OCR finds, and what to verify before you sign one.
May 20, 20267-minute read
The 2026 rule
HIPAA technical safeguards: current requirements and what the 2026 NPRM changes
The HIPAA Security Rule's technical safeguards govern access, encryption, audit logging, and authentication. The 2026 NPRM proposes significant changes. Here is what is required now and what would change under the proposed rule.
May 20, 20267-minute read