What is a HIPAA BAA?

a HIPAA BAA is a key concept in healthcare IT that affects your practice operations and compliance. Qventive helps practices understand and implement a HIPAA BAA with 30+ years of expertise.

Our Observe-Improve-Prevent methodology ensures every implementation starts with your actual workflow. Book a free assessment.

Ready to Talk?

30-minute assessment. No pitch.

Book Assessment (201) 488-2750

Resources

HIPAA at HHS.gov ↗MIPS at CMS.gov ↗NIST Framework ↗

What Makes Someone a Business Associate

BAA applicability framework.

A business associate is a person or entity that performs functions involving the use or disclosure of PHI on behalf of a covered entity. Common business associates for medical practices:

EHR vendors — Epic, athenahealth, eClinicalWorks, NextGen, Allscripts, Greenway, and others.
IT service providers — MSPs (like Qventive), cloud hosting, email security, endpoint protection vendors.
Billing and revenue cycle services — third-party billing vendors, RCM services.
Medical transcription services — traditional and AI-assisted.
Shredding and records management — paper records disposal, electronic records archival.
Attorneys and consultants receiving PHI as part of their services (not all — depends on engagement).
AI vendors processing PHI — ambient scribing, diagnostic AI, clinical decision support. See our healthcare AI compliance page.
Business associate subcontractors — vendors used by business associates must also have BAAs (downstream BAAs).

Not business associates: entities receiving PHI for their own treatment, payment, or healthcare operations (other healthcare providers treating the patient, health plans paying claims). Janitorial services, maintenance personnel, and conduits (like USPS) generally aren't business associates because they don't systematically access PHI.

Required BAA Elements

What HIPAA requires in a BAA.

HIPAA specifies required BAA content at 45 CFR § 164.504(e). The BAA must:

Establish permitted and required uses and disclosures of PHI by the business associate.
Prohibit the business associate from using or disclosing PHI other than as permitted by the BAA or required by law.
Require appropriate safeguards to protect PHI, including compliance with HIPAA Security Rule for electronic PHI.
Require reporting of any unauthorized use or disclosure to the covered entity, including breach notification.
Require business associate to ensure any subcontractors handling PHI agree to the same restrictions via downstream BAAs.
Require business associate to make PHI available to the covered entity, to an individual requesting access, or for amendment or accounting of disclosures.
Require business associate to comply with HIPAA when performing covered entity obligations on the covered entity's behalf.
Require business associate to make its internal practices available to HHS for audit purposes.
Provide for return or destruction of PHI upon termination, or continued protection if return/destruction infeasible.

HHS provides a sample BAA covering required elements. Most vendor BAAs are modifications of this baseline.

Practical BAA Management

Operational BAA workflow for medical practices.

BAA inventory

Maintain inventory of all business associate relationships — who has BAA, BAA effective date, scope of services, and renewal/termination status. Small practices commonly have 15-30 business associates; larger practices often 50+. Without structured inventory, BAA gaps accumulate. See our vendor management page.

New vendor onboarding

Any new vendor potentially accessing PHI requires BAA before PHI access begins. Onboarding workflow should include BAA execution as gate to PHI access. Practices that allow vendor access before BAA execution create compliance exposure.

BAA review

Review vendor-provided BAAs for HIPAA-required elements and specific terms (breach notification timing, indemnification, subcontractor provisions, termination rights). Many vendor BAAs include elements favorable to the vendor that practices should negotiate. Legal counsel review for significant BAAs is common practice.

Termination and data return

When vendor relationships end, BAA typically requires return or destruction of PHI. Practical execution of this during vendor offboarding prevents lingering PHI exposure. EHR migrations and vendor changes should include explicit data return/destruction workflow per BAA terms.

Breach coordination

Business associates must report suspected breaches to covered entity (timing specified in BAA, typically without unreasonable delay and no later than 60 days). Covered entity's breach notification obligations follow. Strong BAA terms around breach notification improve incident response effectiveness.

What Practices Ask About What is a HIPAA BAA

Only vendors that create, receive, maintain, or transmit PHI on behalf of the covered entity. Vendors not accessing PHI (office supplies, cleaning services that don't access records, utilities) generally don’t need BAAs. When in doubt, evaluate whether the vendor could realistically access PHI in the course of their work. For uncertain cases, erring toward BAA execution is defensive posture.

Fundamental problem. If a vendor is a business associate under HIPAA and refuses to sign BAA, the practice cannot permit PHI access to that vendor. Either the vendor is not actually a business associate (evaluation needed), or the practice needs a different vendor willing to execute BAA. Vendors actively serving healthcare should have standard BAAs; refusing to sign is a red flag.

Yes, common practice. Most vendors provide their own BAA templates. Review for HIPAA-required elements and negotiate specific terms that matter — breach notification timing, indemnification, subcontractor provisions, and termination rights. Don’t simply sign without review; vendor templates often favor the vendor.

Generally no. Other healthcare providers treating the patient receive PHI for their own treatment purposes, not on behalf of the first practice. This falls outside business associate definition. PHI sharing between providers for treatment purposes happens under HIPAA's treatment disclosure provisions without BAA. HHS HIPAA FAQ.

Consumer-tier services without BAAs are not appropriate for PHI storage. Enterprise-tier services with BAAs (Microsoft 365 with HIPAA BAA, Google Workspace with BAA, Dropbox Business with BAA, Box Business with BAA, AWS with BAA) can be appropriate when properly configured. BAA execution and proper configuration both matter; BAA alone isn’t sufficient without HIPAA-aligned configuration. See our Microsoft 365 page.

BAA establishes contractual HIPAA obligations; it doesn’t automatically make the vendor HIPAA-compliant operationally. Vendors still need to actually implement HIPAA Security Rule technical safeguards, train workforce, conduct risk assessments, and meet other HIPAA obligations. BAA is the contract; operational compliance is separate. Good vendor evaluation includes both BAA review and operational compliance assessment (often via SOC 2 report, questionnaires, or specific security review). See our HIPAA vs SOC 2 page.

Typically practice administrator, compliance officer, or designated legal authority. For small practices, owner/practitioner often signs. For larger practices, designated BAA management role often centralizes this. Whoever signs should understand BAA content and obligations — not just be willing to sign without review. BAA management is substantive compliance work that merits deliberate authority assignment.

Get In Touch

Ready to Modernize Your Practice Technology?

Schedule your free practice technology assessment. Our healthcare IT specialists will review your current systems, identify gaps, and outline a roadmap built specifically for your practice.

30 years of healthcare-only experience
EHR-certified across 7 major platforms
HIPAA-compliant from day one
No long-term contracts required

Book Your Free Assessment

What is a HIPAA BAA