Who needs a HIPAA business associate agreement?

The business associate agreement (BAA) requirement is one of the most practically important — and practically misunderstood — obligations in HIPAA. Practices often get it partially right: they have a BAA with their EHR vendor (because the EHR vendor required it) and may be missing BAAs with their IT support company, cloud backup service, billing company, and answering service.

The legal question is specific, and it has a clear answer once you know what to look for.

The legal test: who is a business associate?

Under 45 CFR § 160.103, a business associate is a person or entity that, on behalf of a covered entity:

Performs functions or activities involving PHI for one of these purposes:

• Claims processing or administration
• Data analysis, processing, or administration
• Utilization review
• Quality assurance
• Billing
• Benefit management
• Practice management
• Repricing

Or provides services to a covered entity that involve the disclosure of PHI, including:

• Legal services
• Actuarial services
• Accounting services
• Consulting
• Data aggregation
• Management
• Administrative services
• Accreditation
• Financial services

The common thread: the person or entity receives or accesses PHI to perform a service for the covered entity. If that condition is met, a BAA is required before the PHI is shared.

---

Vendors that consistently require BAAs

EHR and practice management systems: Any platform that stores, processes, or transmits clinical records is a business associate. This is the most obvious category and most EHR vendors execute BAAs as part of their standard contracting.

Medical billing and revenue cycle companies: Handle extensive PHI in the course of claims submission, follow-up, and reporting.

Cloud storage and backup services: If patient records, clinical images, or other ePHI are stored in a cloud service — Google Drive, Dropbox, OneDrive, AWS S3, or any other — and the service provider can access unencrypted data, a BAA is required. The consumer tiers of most cloud storage platforms do not offer BAAs; enterprise and healthcare tiers typically do.

IT support and managed service providers: Any IT vendor with remote access to servers, workstations, or networks containing ePHI is a business associate. This applies even if the IT vendor’s purpose is maintenance and troubleshooting — not accessing PHI directly. The capability to access ePHI is sufficient.

Email platforms: If the email provider can access unencrypted PHI stored on its servers — which is true for standard Gmail, Microsoft 365, Yahoo, and most email services — a BAA is required. Consumer-tier email services do not offer BAAs; healthcare and enterprise tiers of Google Workspace and Microsoft 365 do.

Telehealth platforms: Any platform used for clinical video visits handles ePHI and is a business associate. Consumer video platforms (standard Zoom, FaceTime, Google Meet without BAA) do not sign BAAs.

Answering services and patient communication platforms: Services that handle patient messages, appointment reminders, or after-hours calls may receive patient PHI and require BAAs.

Transcription services: Medical transcription involves receiving and processing patient records. BAA required.

Shredding services: Physical shredding services that handle paper records containing PHI are business associates. NAID (National Association for Information Destruction)-certified shredding companies typically sign BAAs.

Attorneys and accountants: When legal or accounting services involve reviewing or analyzing PHI — malpractice defense, compliance reviews, healthcare transactions, audits involving patient records — the professional is a business associate for the scope of that engagement.

---

Who does NOT require a BAA

Workforce members: Employees, volunteers, and trainees working under the direct control of the covered entity are workforce members — not business associates. They are covered by internal policies and training, not BAAs.

Other covered entities for treatment purposes: When a physician refers a patient to a specialist and sends treatment records, the specialist is not a business associate for that treatment disclosure. The Privacy Rule permits treatment-purpose disclosures between covered entities without a BAA. (Note: if two covered entities are engaged in a joint venture or ongoing data-processing arrangement beyond treatment referrals, a BAA or other arrangement may be required.)

Conduit organizations: Organizations that transmit PHI but cannot access its content — a sealed-envelope courier, a postal service, or an ISP transmitting encrypted ePHI without the ability to decrypt it — are conduits, not business associates. No BAA is required for conduits.

Incidental presence: A plumber fixing a pipe in a records room who might inadvertently see a patient name on a folder is not a business associate. The definition requires performing functions or services involving PHI, not merely being present where PHI exists.

---

The subcontractor requirement

When a business associate uses a subcontractor that will access PHI, the subcontractor is itself a business associate of the business associate. Under 45 CFR § 164.308(b)(4) and § 164.504(e)(2), business associates must ensure that subcontractors agree to the same restrictions and conditions through their own BAA.

Practical implication: a covered entity’s billing company uses a cloud billing platform. The covered entity has a BAA with the billing company. The billing company must have its own BAA with the cloud platform. The covered entity is responsible for confirming that its business associate has appropriate subcontractor BAAs — asking for confirmation as part of vendor onboarding is reasonable due diligence.

---

Consequences of missing BAAs

Missing BAAs appear in OCR resolution agreements with notable consistency. Enforcement consequences include:

• Financial settlements (in combination with other findings; the 2013 through 2026 resolution agreements show missing BAA findings paired with Security Rule failures regularly)
• Corrective action plan requirements to identify all business associates and execute BAAs within a specified period
• Two-year OCR monitoring of the covered entity’s BAA compliance

A breach that occurs through a business associate operating without a BAA can increase the covered entity’s exposure — the covered entity failed to ensure its BA had protections in place, and the BA is also directly liable for its own Security Rule failures.

---

Building and maintaining a vendor inventory

The most practical tool for BAA compliance is a written vendor inventory: a list of every vendor with PHI access, their function, the date the BAA was executed, and the BAA renewal or review date if applicable.

Review the inventory:

• When a new vendor is onboarded
• When an existing vendor relationship changes scope
• Annually as part of the Security Rule evaluation required by § 164.308(a)(8)

Most small practices discover, during a first-ever vendor inventory, that they have BAAs with two or three vendors (EHR, billing) and are missing BAAs with IT support, cloud backup, and email. Closing those gaps is a discrete, achievable task once the inventory is built.

---

Sources: 45 CFR § 160.103 (business associate definition); 45 CFR § 164.308(b)(1) and (b)(4) (BAA requirements for business associates and subcontractors); 45 CFR § 164.504(e) (BAA required provisions); HHS “Business Associates,” hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates; HHS Business Associate Contracts guidance, hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions; HHS 2013 Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013). Last verified May 20, 2026.