HIPAA resources
HIPAA Business Associate Agreement (BAA) guide
Understand when BAAs are required and what terms matter for vendor risk.
This guide helps small practices evaluate vendors, document BAA coverage, and keep HIPAA workflows aligned across teams.
When to request a BAA
- Cloud software that stores or processes PHI
- IT, billing, or support vendors with PHI access
- Communication tools used for PHI-related workflows
- Data backup, file-sharing, and managed hosting providers
Keep BAAs with your core compliance documents so your team can show vendor safeguards during audits. You can review our security approach and explore compliance workflows in our compliance features. For broader preparation, use our HIPAA audit checklist.
Frequently asked questions
When is a BAA required?
A BAA is required when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity.
What should we verify before signing a BAA?
Confirm permitted uses of PHI, breach notification responsibilities, subcontractor requirements, and data return or destruction terms.
Do all software tools require a BAA?
No. A BAA is generally required only for tools that handle PHI; tools that never process PHI may not require one.
When is a Business Associate Agreement required?
A Business Associate Agreement is required whenever a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity. This includes many technology providers, billing companies, and IT service vendors.
What happens if a practice does not have required BAAs in place?
Failure to execute required Business Associate Agreements may result in regulatory findings, corrective action plans, or financial penalties if discovered during an audit or investigation. Proper vendor documentation is a core component of HIPAA compliance.
Do subcontractors of a business associate also need to sign a BAA?
Yes. If a subcontractor has access to protected health information, the primary business associate must ensure that a written agreement is in place requiring the subcontractor to safeguard that information in accordance with HIPAA requirements.