Business Associate Agreements: The Guide Every Healthcare Practice Needs

If someone asked you right now to produce a list of every vendor that touches your patients’ protected health information, could you do it?

Could you pull out the signed Business Associate Agreement for each one?

Most practices cannot. And that gap — between the vendors you use and the agreements you have in place — is one of the most common, most expensive compliance failures OCR finds when they come looking.

What Is a Business Associate?

Under HIPAA, a business associate is any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity — or provides services to a covered entity that involve access to PHI.

In plain English: if a vendor can see, touch, store, or move your patient data as part of the service they provide to you, they are almost certainly a business associate.

A Business Associate Agreement (BAA) is the required written contract between you and that vendor. It establishes what the business associate can and cannot do with PHI, requires them to implement safeguards, and defines their obligations if a breach occurs.

This is not optional. Under 45 CFR 164.502(e) and 164.504(e), a covered entity may not disclose PHI to a business associate — or allow a business associate to create or receive PHI on its behalf — without a satisfactory written agreement in place. No BAA means no legal basis for sharing the data. Period.

Who Needs a BAA? The Vendors Practices Forget About

Most practices know they need a BAA with their EHR vendor. Beyond that, things get fuzzy fast. Here is a list of common business associates that practices routinely overlook:

IT support company — They have admin access to your systems. They can see everything. This is a business associate.
Answering service — If they take messages that include patient names, callback numbers, or reasons for calling, they are handling PHI.
Cloud backup provider — Storing encrypted backups of your systems? The data is still PHI, and they are still a business associate.
Shredding company — They pick up bins containing paper records with PHI. They need a BAA.
Billing company or clearinghouse — Obviously handling PHI. But many practices assume the billing software vendor handles this, and never execute a direct BAA.
Email provider — If you use email to communicate with patients or send referrals containing PHI, your email provider is a business associate. Standard Gmail or Outlook accounts do not come with BAAs. Google Workspace and Microsoft 365 offer BAAs, but you must specifically activate or request them.
Cloud fax service — Electronic faxes containing PHI make the fax provider a business associate.
Collections agency — They receive patient names, account numbers, balances, and sometimes diagnostic codes. Unquestionably a business associate.
Accountant or CPA — If your accountant receives any records that include patient-identifiable information (which happens more often than you think, especially with smaller practices), they need a BAA.
Appointment reminder service — Texts and emails that include patient names and appointment details are PHI.
Transcription service — Whether human or AI-powered, if they process clinical notes, they handle PHI.
Practice management consultant — If they access your systems or review records as part of their engagement, BAA required.

Quick test: Can this vendor, in the course of doing their job for us, see or access information that identifies a patient? If yes, you almost certainly need a BAA.

What Must Be in a BAA

A BAA is not a handshake or a verbal agreement. The HIPAA Rules at 45 CFR 164.504(e) specify required provisions. A compliant BAA must include:

Permitted and required uses — What the business associate is and is not allowed to do with the PHI. This must be specific, not a blanket authorization.
Safeguard requirements — The business associate must agree to use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing the requirements of the Security Rule (for electronic PHI).
Reporting obligations — The BA must report to you any use or disclosure not permitted by the agreement, including breaches of unsecured PHI. The agreement should specify timeframes for this reporting.
Subcontractor requirements — The BA must ensure that any subcontractors who create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and conditions. This means your BA must have BAAs with its own downstream vendors.
Access to PHI for individuals — The BA must make PHI available to satisfy your obligation to provide patient access under 45 CFR 164.524.
Amendment of PHI — The BA must make PHI available for amendment and incorporate amendments as required under 45 CFR 164.526.
Accounting of disclosures — The BA must make information available to provide an accounting of disclosures as required under 45 CFR 164.528.
HHS access — The BA must make its internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance determination purposes.
Return or destruction — At termination of the agreement, the BA must return or destroy all PHI, if feasible. If not feasible, the agreement must explain why and extend protections indefinitely.
Termination provisions — The agreement must authorize the covered entity to terminate the contract if the BA violates a material term.

If any of these provisions are missing, the BAA is deficient — and a deficient BAA is treated essentially the same as a missing BAA by OCR.

Who Does NOT Need a BAA

Not every vendor is a business associate. HIPAA includes several important exceptions.

The Conduit Exception

Entities that merely transport PHI but do not access it in any meaningful way are considered “conduits,” not business associates. Examples:

The U.S. Postal Service — They carry envelopes containing PHI but have no reason to access the contents.
UPS, FedEx, and other couriers — Same principle.
Internet Service Providers — Your ISP transmits data packets, but the data is encrypted and the ISP has no use for the content. They are a conduit.
Telephone companies — Providing the phone line over which you discuss PHI does not make them a business associate.

The conduit exception is narrow. The key distinction is whether the entity has routine access to PHI as part of providing its service. Your ISP does not routinely access the content of your transmissions. Your cloud backup provider does store and could access the content. That is the line.

Treatment, Payment, and Health Care Operations

When two covered entities share PHI for treatment purposes, they do not need a BAA between them. For example:

A referring physician sending records to a specialist for treatment of a shared patient does not require a BAA.
A hospital sending discharge records to a patient’s primary care physician does not require a BAA.

This exception applies to treatment. It also applies to certain payment and health care operations disclosures between covered entities, though the rules are more nuanced. When in doubt, having a BAA does no harm — lacking one when you need it can be catastrophic.

Other Non-BA Relationships

Janitorial services — Unless your cleaning crew has access to unlocked file cabinets or unattended screens, they are generally not business associates. (But if they are handling records as part of their work, the analysis changes.)
A bank processing credit card payments — Processing payment card data does not typically involve PHI. However, if the bank receives an Explanation of Benefits or patient-identifiable information, the calculus shifts.
A patient’s family member picking up records at the front desk is not a business associate.

Template BAAs vs. Custom BAAs — and the Red Flags

Many vendors will hand you their “standard BAA” and ask you to sign it. Before you do, understand what you are signing.

Vendor-provided template BAAs are written to protect the vendor. That is their purpose. They will minimize the vendor’s obligations while technically checking the regulatory boxes. Watch for these red flags:

Vague breach notification timelines — HIPAA requires business associates to report breaches “without unreasonable delay” and no later than 60 days after discovery. Some vendor BAAs say they will notify you “promptly” or “in a reasonable time” without committing to a specific window. You want a concrete number — 30 days or fewer.
Broad permitted uses — The BAA should restrict the vendor to using PHI only for the specific services they provide to you. Watch for language that permits use for the vendor’s own “business purposes,” “product improvement,” or “de-identified data analytics.” These carve-outs can be broad enough to drive a truck through.
Limitation of liability clauses — Some vendor BAAs cap the vendor’s financial liability at the amount of fees you have paid them. If your annual contract is $5,000 and they cause a breach that costs you $500,000, that cap is not protecting you.
Indemnification that runs only one way — The vendor wants you to indemnify them, but they will not indemnify you. This is a negotiating point, not a given.
Weak termination rights — The BAA should give you the right to terminate if the vendor violates a material term. If the agreement makes termination difficult or imposes penalties for termination due to the vendor’s non-compliance, push back.
No mention of subcontractors — If the vendor uses subcontractors who will access PHI, the BAA must address this. Silence on subcontractors is a gap.

You do not need a lawyer to review every BAA — but you should have a clear understanding of what compliant BAA language looks like, and you should flag agreements that deviate from it.

What Happens When a Business Associate Has a Breach

This is where BAA management stops being abstract and starts being existential.

When your business associate suffers a breach, you are not automatically off the hook just because the breach happened on their end. Here is what you need to understand:

Your notification obligations still apply. The business associate must notify you of the breach, and then you are responsible for notifying affected individuals, HHS, and (for breaches affecting 500+ individuals) the media. Your name is on those notifications, not the vendor’s.

OCR will investigate you too. When a BA breach triggers an investigation, OCR looks at both the business associate and the covered entity. They will ask you: Did you have a BAA in place? Did you conduct due diligence before engaging this vendor? Did you have any oversight or monitoring process?

If you had no BAA, the liability is significantly worse. Without a BAA, you had no legal basis for sharing PHI with that vendor in the first place. The breach then becomes evidence of a more fundamental compliance failure on your part.

The financial exposure is real. Depending on the breach, you may face regulatory penalties, legal costs, notification expenses, credit monitoring for affected patients, and reputational damage — all because of a vendor’s failure, but landing squarely on your practice.

Monitoring and Managing Your Business Associates

Signing a BAA is necessary. It is also insufficient. A BAA sitting in a filing cabinet does nothing to protect you if the vendor it covers is not actually complying with its terms.

OCR has made clear in guidance and enforcement actions that covered entities have an ongoing obligation to manage their business associate relationships. This means:

Maintaining a current inventory of all business associates and their BAAs, including execution dates and expiration or renewal terms.
Verifying that BAAs are still in effect and have not expired or been superseded.
Periodically assessing whether business associates are meeting their obligations. This does not require a full audit of every vendor, but it does mean asking questions: Do you conduct your own risk assessments? Have you had any security incidents? Can you provide evidence of your security practices?
Acting on known problems. If you become aware that a business associate is violating the terms of the BAA, you must take reasonable steps to cure the violation. If the violation cannot be cured, you must terminate the agreement (and the relationship) if feasible.

The standard that OCR applies is not perfection — it is reasonableness. But “we signed a BAA five years ago and never looked at it again” does not meet even a minimal standard of reasonableness.

The Subcontractor Chain: Your BA’s BAs Need BAAs Too

Since the 2013 HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance — and they must have BAAs with their own subcontractors who handle PHI.

This matters to you because the chain of custody for your patients’ data can extend well beyond the vendor you see. Your EHR vendor hosts data on AWS. Your billing company uses a clearinghouse that uses a payment processor. Your cloud fax provider uses a telephony sub-processor.

You are not required to execute BAAs with your business associates’ subcontractors directly. But you should:

Ask your business associates whether they use subcontractors who access PHI.
Confirm that your business associates have BAAs in place with those subcontractors.
Ensure your BAA with the primary vendor addresses subcontractor obligations.

If a breach occurs three levels down in the subcontractor chain, the trail of accountability leads back to you. Having a strong BAA with your primary vendor — one that includes clear subcontractor provisions — is your main protection.

Real Enforcement: OCR Cases Involving BAA Failures

BAA deficiencies are not theoretical risks. OCR has imposed significant penalties specifically for BAA-related failures:

North Memorial Health Care (2016) — $1.55 million. North Memorial failed to have a BAA in place with a major contractor that had access to the ePHI of nearly 300,000 individuals. The contractor’s laptop was stolen, exposing the data. OCR found that North Memorial had no BAA with the contractor and had not conducted a risk assessment addressing the contractor relationship. The absence of the BAA was a central finding.

Raleigh Orthopaedic Clinic (2016) — $750,000. The practice gave a vendor access to x-rays and other records containing PHI from approximately 17,300 patients without a BAA. The resolution agreement cited the failure to execute a BAA as the core violation.

Care New England Health System (2019) — $400,000. OCR found that Care New England had not executed compliant BAAs with several business associates. The deficiency was discovered during an investigation triggered by a separate breach report.

CHSPSC LLC (2020) — $2.3 million. Community Health Systems’ management company was found to have failed to implement security measures despite being a business associate handling PHI for numerous affiliated hospitals. This case reinforced that business associates themselves face direct enforcement.

These cases share a common thread: the BAA failure was not discovered in isolation. It was found when OCR investigated something else — typically a breach report or complaint — and the missing or inadequate BAA compounded the findings and the penalties.

The pattern is consistent: OCR investigates a breach or complaint, discovers BAA gaps during the investigation, and adds BAA violations to the enforcement action. Missing BAAs almost never exist in isolation — they indicate broader compliance failures, and OCR treats them accordingly.

The 2026 Proposed Rule Changes Affecting BAAs

The HHS Notice of Proposed Rulemaking (NPRM) published in early 2025 includes several provisions that will directly affect business associate agreements and BA management if finalized:

Technology asset inventory requirements — Business associates would be required to maintain a written inventory of technology assets that handle ePHI, and this inventory would need to be updated at least annually. Your BAAs may need to be updated to reflect this obligation.
Enhanced incident reporting — The proposed rule tightens breach notification requirements for business associates, including shorter reporting timelines to covered entities (24 hours for certain incidents) and more granular reporting of security incidents.
Mandatory verification — Covered entities could face more explicit requirements to verify their business associates’ compliance, moving from the current “reasonable assurance” standard to something more concrete.
Risk assessment documentation — Both covered entities and business associates would face more specific requirements for risk assessment documentation, which would affect what you need to see from your BAs.

These proposed changes signal a clear direction: HHS expects more active management of business associate relationships, not less. Practices that build strong BA management processes now will be ahead of the curve when final rules take effect.

Take Our Free HIPAA Assessment to See Where You Stand →

A BAA Management Checklist

Use this as a starting point for getting your business associate program under control:

Inventory

List every vendor, contractor, and service provider your practice uses
Identify which ones create, receive, maintain, or transmit PHI
Classify each as business associate, conduit, or non-BA
Document the rationale for each classification

Agreements

Confirm a signed BAA is on file for every identified business associate
Verify each BAA contains all required provisions under 45 CFR 164.504(e)
Check that breach notification timelines are concrete (not vague)
Review vendor-provided BAAs for red flags before signing
Note expiration dates and renewal terms for each BAA

Ongoing Management

Schedule annual review of your BA inventory — vendors change, services change
Request evidence of security practices from high-risk BAs (IT vendors, EHR, cloud services)
Document any BA compliance concerns and steps taken to address them
Verify that BAs have addressed subcontractor BAA requirements
Update BAAs when the scope of services changes materially
Re-execute BAAs that have expired

Incident Preparedness

Confirm each BAA includes specific breach notification timelines
Maintain current contact information for each BA’s privacy/security officer
Include BA breach scenarios in your incident response planning
Know what your obligations are when a BA reports a breach to you

Download the Full 93-Point HIPAA Compliance Checklist →

How ComplyMD Helps With Vendor and BA Management

Business associate management is one of the areas where small and mid-sized practices struggle most. It is administrative, detail-oriented, ongoing work — exactly the kind of work that falls through the cracks when compliance is nobody’s full-time job.

ComplyMD provides a structured approach to BA management as part of a complete compliance program:

Guided vendor inventory — Walk through your vendor relationships systematically, with prompts for the categories practices commonly miss.
BAA tracking — Maintain a centralized record of all business associate agreements, with execution dates, renewal dates, and status tracking.
Compliance verification workflows — Document your due diligence and ongoing oversight of business associates in a format that demonstrates reasonableness to OCR.
Automated reminders — Get notified when BAAs are approaching expiration or when annual BA reviews are due.
Incident response integration — When a BA reports a breach, ComplyMD guides you through your notification obligations and documentation requirements.

You have enough to do running a practice. Managing your vendor compliance program should not require a filing cabinet, a spreadsheet, and a prayer.

Get Early Access to ComplyMD →