What Is a BAA and Which Vendors Need One? A Clinic Guide
A Business Associate Agreement (BAA) is required with every vendor that accesses your patients' protected health information. Here's what a BAA must contain and which vendors need one.
Business Associate Agreements are one of the most frequently cited gaps in HIPAA enforcement actions — and one of the most manageable compliance requirements for small practices. Understanding what a BAA is, who requires one, and what it must contain can protect your practice from significant enforcement exposure.
Who Is a "Business Associate?"
A business associate is any person or entity that performs functions on behalf of a covered entity that involve the use or disclosure of PHI. Business associates include:
Clinical and Administrative Vendors
- EHR and practice management software vendors
- Medical billing and coding companies
- Revenue cycle management services
- Answering services that take patient messages
- Appointment reminder and patient communication platforms
Technology and IT Vendors
- IT managed services providers (MSPs) with access to clinical systems
- Cloud storage providers where any PHI is stored
- Email encryption service providers
- Backup and disaster recovery services
Other Services
- Medical waste disposal companies
- Shredding services that handle documents containing PHI
- Accountants and attorneys who access PHI in the course of their services
- Clinical laboratories that receive patient information
Frequently missed: Answering services, appointment reminder platforms, and IT support companies with remote access to clinical systems are among the most commonly overlooked BAA requirements for small practices.
What a BAA Must Contain
- Description of the permitted and required uses of PHI
- Prohibition on the business associate using or disclosing PHI in ways not permitted
- Requirement to use appropriate safeguards to prevent unauthorized use or disclosure
- Requirement to report any breach or security incident
- Requirement to ensure subcontractors agree to the same restrictions
- Requirement to make PHI available for patient access and amendment as required
- Requirement to return or destroy PHI upon termination
- Authorization to terminate the agreement if the business associate materially breaches it
Managing Your BAA Inventory
- A centralized inventory of all business associates with BAA status
- Copies of all executed BAAs stored and accessible
- Tracking of BAA expiration dates if agreements are time-limited
- Annual review to ensure the inventory is current
- Verification that vendor-provided BAAs contain all required HIPAA elements
What Happens When a BAA Is Missing?
If OCR discovers that your practice shared PHI with a vendor without an executed BAA, the penalty calculation begins from the date the relationship started — not the date of discovery. If you have been using a billing company without a BAA for three years, you have three years of potential violations.
Stay audit-ready without the headache.
AuditVault automates HIPAA documentation, OIG exclusion screening, and compliance risk tracking for small and mid-size medical practices. Launching January 2028.