The Business Associate Agreement — BAA — is one of the most important documents in your HIPAA compliance program. It's also one of the most commonly skipped.

Most practice managers know they need one with their EHR vendor. Fewer know they need one with their billing company. Even fewer have thought about the document shredding service, the appointment reminder platform, the cloud backup tool, the transcription service, or the telehealth software they added during a busy season and never revisited.

This isn't a technicality. A missing BAA is a direct HIPAA violation — even if nothing goes wrong — and it's one of the first things an OCR auditor will ask to see.

What Is a Business Associate?

HIPAA defines a Business Associate as any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity. Your practice is the Covered Entity. Any vendor that handles patient data as part of the work they do for you is a Business Associate.

The key phrase is "on behalf of." They're not just touching data in passing — they're doing something with your patient data in order to help you provide care or run your practice. A Business Associate Agreement is the contract that defines what they're allowed to do with that data and what obligations they take on under HIPAA.

Without a BAA, you have no documented assurance that the vendor is protecting your patients' information. From a liability standpoint, that gap belongs to you.

Who Needs a BAA — The Full List

This is where most practices have gaps. The list is longer than it seems at first, because it includes any vendor that could encounter PHI — not just the ones whose primary function is health data.

// Obviously need a BAA

BAA required — clinical systems
  • EHR and practice management software vendor
  • Medical billing company
  • Billing clearinghouse (Availity, Change Healthcare, etc.)
  • Health information exchange (HIE)
  • Medical transcription services
BAA required — infrastructure
  • Cloud backup and storage vendors
  • Managed IT service providers (if they access systems with PHI)
  • Hosted email providers — if used for patient communication
  • Data destruction and shredding companies
  • Answering services and after-hours call centers

// Commonly missed — also need a BAA

These are the vendors that practices add over time — often without thinking through the HIPAA implications — and that OCR has explicitly identified as requiring BAAs.

  • Google Workspace: If you use Gmail, Google Drive, or Google Meet for anything involving patient information, you need a signed BAA with Google. The free consumer versions of these products are explicitly not HIPAA-eligible. You must be on a paid Google Workspace Business or Enterprise plan with a BAA signed through Google's Admin Console.
  • Microsoft 365: Same logic — if patient-related documents are stored in OneDrive or SharePoint, or if patient communication goes through Outlook, a BAA is required. Microsoft offers this through their Microsoft Products and Services Agreement (MPSA) for qualifying plans.
  • Telehealth platforms: Standard consumer Zoom does not have a BAA and is not HIPAA-compliant. Zoom for Healthcare offers a BAA. Doxy.me, Teladoc, and similar purpose-built platforms have BAA processes. Verify before using any video platform for patient care.
  • Patient communication and reminder platforms: Klara, Luma Health, Weave, Phreesia, NexHealth — if the platform sends appointment reminders, collects intake forms, or facilitates any patient messaging, it touches PHI. A BAA is required.
  • Online intake and form tools: Jotform, Typeform, and similar tools are not HIPAA-compliant on their standard tiers. Jotform offers a HIPAA-compliant tier with a BAA; verify whether you're subscribed to it. Google Forms is not HIPAA-eligible regardless of your Google Workspace plan.
  • Your IT support provider: If your IT company ever remotely accesses a computer that has patient data on it — even to fix a printer driver — they are a Business Associate. Your IT company should have a BAA on file with every healthcare practice they support.

// Does NOT need a BAA

Not every vendor relationship triggers the BAA requirement. HIPAA carves out certain categories.

  • The post office and couriers: HIPAA explicitly excludes conduit providers — entities that transport PHI but don't access or use it. USPS, UPS, and FedEx fall into this category.
  • Your malpractice insurance carrier: They receive information about incidents and claims, but they're not receiving PHI on behalf of your practice in a way that triggers the BA definition.
  • Your bank or financial institution: Processing payment transactions doesn't make them a Business Associate, even if a patient's name appears on a check.
  • Your janitorial service — unless they have access to areas where physical PHI is stored, in which case the analysis becomes more nuanced.

What a BAA Must Actually Include

HIPAA specifies the minimum content of a Business Associate Agreement under 45 CFR § 164.504(e). A BAA that doesn't contain these elements isn't compliant, even if it's a signed document. When you're reviewing a vendor's form BAA, verify it covers all of these:

TERM 01

Establish the permitted and required uses and disclosures of PHI by the Business Associate — they can only use your patient data for the purposes you've agreed to

TERM 02

Require the Business Associate to implement appropriate administrative, physical, and technical safeguards to protect PHI — not just a vague promise of "security"

TERM 03

Require the Business Associate to report any security incidents and breaches to you — including the timeline for that notification

TERM 04

Require the Business Associate to return or destroy PHI at the end of the relationship — and certify that destruction

TERM 05

Require the Business Associate to ensure that any subcontractors who handle your PHI also comply with HIPAA — the chain of accountability extends downstream

One thing to note: many enterprise SaaS vendors offer "standard" BAAs that heavily favor their terms. They may limit liability, restrict your audit rights, or define breach notification timelines loosely. Read the document. If your volume of patient data is significant, it may be worth having legal counsel review BAAs before signing — particularly for EHR vendors and cloud storage providers.

What Happens Without One

Using a vendor without a signed BAA is a direct HIPAA violation — regardless of whether that vendor has ever misused your data. The violation is structural: you are operating without the contractual framework HIPAA requires.

The consequences play out on two tracks.

First, if that vendor experiences a breach involving your patients' data, your liability is compounded by the absence of a BAA. You cannot demonstrate that you exercised due diligence in vetting and contracting with your Business Associates. OCR will treat the missing BAA as evidence of a systemic compliance failure — and will look for additional failures while they're investigating.

Second, OCR routinely requests a list of Business Associates and their signed BAAs during audits and investigations — even when the audit was triggered by something unrelated. If you can't produce them, you've just created a new problem on top of whatever originally drew OCR's attention.

Fines for missing Business Associate Agreements range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. Each missing BAA is typically treated as a separate violation.

In 2019, a dental practice was fined $10,000 and required to implement a corrective action plan after OCR found they were using a web-based scheduling platform to allow patients to book appointments — without a signed BAA in place. The platform stored patient names, contact information, and appointment types. No breach had occurred. The violation was the missing agreement itself.

How to Audit Your BAAs Right Now

The process is straightforward. It just requires sitting down and going through it methodically.

01
Make a complete list of every vendor your practice uses — clinical systems, IT vendors, communication tools, cloud storage, scheduling, billing, everything. Include services that were set up by former employees or that are billed to a personal credit card rather than a practice account.
02
For each vendor, ask: does this service ever come into contact with patient data in any form? Patient names, contact information, appointment details, diagnoses, billing codes — any of these constitute PHI in combination with an identifier. When in doubt, assume yes.
03
For every vendor where the answer is yes: do you have a signed BAA on file? Check your compliance folder, your email inbox for agreements you may have signed digitally, and your contract files.
04
For missing BAAs: most enterprise vendors have them available. Google Workspace BAAs are signed through the Admin Console under Account settings. Microsoft's are available through the service trust portal. Most healthcare-specific software vendors have them in their legal or compliance section. If a vendor can't produce a BAA, that's information too — it may mean they're not actually HIPAA-eligible.
05
Keep all signed BAAs in a single, accessible compliance folder — a shared drive location, not someone's personal computer. OCR will ask for them on a tight timeline during an investigation. You want to be able to produce them in hours, not days.

The Bigger Picture

Most missing BAAs aren't the result of negligence. They're the result of not knowing you needed one. A practice adds a new scheduling tool, a new communication platform, a new cloud storage solution — and the BAA question never comes up because no one's job is to ask it.

The fix is to make BAAs part of the vendor evaluation process, not an afterthought. Before any new software or service goes live in your practice, one question should be on the checklist: "Does this vendor have a BAA, and have we signed it?"

A security risk assessment maps every vendor relationship your practice has and flags the missing agreements. It's a more systematic approach than trying to reconstruct the list from memory — and it's the documented basis OCR expects to see when they ask how you manage your Business Associates.