Of every HIPAA control a small practice can implement, the Business Associate Agreement is the one most likely to be missing. Practices spend time on encryption and MFA and risk analyses and then sign up for a new transcription service, a new e-fax provider, or a new IT contractor without a BAA in place. HHS OCR has repeatedly issued multi-million-dollar settlements that turn on exactly that gap.
A BAA is a contract — but it's also a HIPAA compliance deliverable. Here's what the regulation actually requires.
What a BAA Has to Contain
The BAA Required Elements
- Permitted uses and disclosures of PHI — what the BA can and cannot do with the data
- Required safeguards — administrative, physical, and technical protections appropriate to the PHI
- Subcontractor flow-down — any subcontractor that handles PHI must also sign a BAA
- Breach and security-incident reporting — what the BA must report to you, and how fast
- Access, amendment, and accounting — the BA must support patient rights under the Privacy Rule
- Return or destruction of PHI at termination — and how that's documented
- Termination for material breach — your right to end the relationship if the BA violates the BAA
- No further use after termination — the BA can't keep using the PHI for its own purposes
HHS publishes sample BAA contract language at hhs.gov; the above is a plain-English summary, not the regulation text.
Who Has to Sign a BAA
The HIPAA definition is broad: any person or organisation that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. The common ones a small practice deals with:
Electronic Health Record (EHR) vendor
Almost always needs a BAA — the EHR is the primary PHI store.
Medical billing / revenue-cycle service
Handles claims data that includes PHI; needs a BAA.
IT support / MSSP / cloud provider
Any provider with access to systems holding ePHI needs a BAA.
Cloud imaging or PACS storage
Diagnostic images are PHI; storage providers need a BAA.
Encrypted email / secure messaging
If clinicians send PHI through it, the provider needs a BAA.
Transcription service
Dictation of clinical notes is PHI; transcribers need a BAA.
E-fax service
Faxed records often contain PHI; the e-fax provider needs a BAA.
Patient communications / marketing tools
Anything that touches patient names with appointment or condition data needs review.
Not everyone needs a BAA. The cleaning service, the document shredder (if data is destroyed on site), and your landlord typically don't — they don't handle PHI as part of their service. Likewise, conduit services that merely transport data (a courier, the phone company, the postal service) generally don't need one. The test is whether the third party can access PHI in the course of providing their service.
The Two Failure Modes
Practices typically get into BAA trouble two ways. The first is missing BAAs entirely — a vendor was onboarded quickly and the contract was never signed. The fix is a currentvendor inventory: list every system and service, mark the ones that touch PHI, and confirm a current BAA is on file for each. The second is weak BAAs— a vendor's standard BAA that's missing required elements (subcontractor flow-down and breach-notification timelines are the most common gaps). Read before signing, and push back on the omissions.
BAAs and Vendor Risk
A BAA is a legal control — it doesn't replace operational vendor risk management. The vendor still needs to actually have decent security, and you'll want some way of evaluating that (a SOC 2 report, a HITRUST CSF certification, or a documented security questionnaire). The general principles are in our third-party risk guide.
The Bottom Line
Build a vendor inventory, identify every business associate, confirm a current BAA is on file for each, and check that each BAA has the required elements. Then keep it current — every new tool the practice adopts triggers the same check. That single hygiene loop eliminates one of the most-cited HIPAA deficiencies and shrinks your downstream breach exposure considerably.
For the broader Security Rule picture, see HIPAA cybersecurity for small practices; for how an MSSP operates this for you, see the cybersecurity for healthcare practices page.
This article is general information, not legal advice. Consult qualified counsel before signing or modifying a Business Associate Agreement.
Get the free HIPAA risk-analysis worksheet.
Includes vendor / business-associate prompts so your risk analysis captures the third parties that touch ePHI — alongside the ePHI inventory, threat mapping, and the 9-step OCR self-audit.
Get the free worksheetCould You List Every Vendor That Touches PHI?
A free 30-minute assessment helps you build the vendor inventory and BAA register that HHS OCR expects — and identifies the gaps before they become citations.
Get a Free Assessment