HIPAA BAA Checklist: Business Associate Agreement Guide for Healthcare Practices (2026)

Business associate agreements are one of the most commonly violated HIPAA requirements — and one of the easiest to fix. OCR has issued six-figure penalties solely for missing BAAs, before any breach occurred. The violation is the absence of the agreement itself.

Most independent practices underestimate the number of vendors that require a BAA. A typical dental office or medical practice has between eight and fifteen business associates. Some have more than twenty. If even one is missing a signed agreement, the practice is noncompliant — regardless of whether that vendor has ever mishandled a single record.

This guide covers what a BAA is, when one is required, what it must contain, and how to manage the full lifecycle from execution to termination.

What Is a Business Associate Agreement?

A BAA is a legally binding contract required under HIPAA (§164.502(e), §164.504(e)) between a covered entity — your practice — and any vendor that creates, receives, maintains, or transmits protected health information on your behalf. The HITECH Act extended this requirement in 2009, and the 2013 Omnibus Rule made business associates directly liable under HIPAA.

The agreement defines three things:

What the vendor can and cannot do with PHI. A BAA specifies the permitted uses and disclosures of protected health information. If a use is not explicitly authorized in the agreement, the vendor is not permitted to perform it.

How the vendor must protect PHI. The agreement requires the business associate to implement appropriate administrative, physical, and technical safeguards — the same standard that applies to covered entities under the Security Rule.

What happens when something goes wrong. The BAA establishes breach notification obligations, requiring the business associate to report any unauthorized access or disclosure to the covered entity within a defined timeframe. Under HIPAA, this must be no later than 60 days from discovery, though many BAAs specify shorter windows.

A BAA is not a formality. It is a regulatory requirement. Without one, sharing PHI with a vendor is itself a HIPAA violation — even if the vendor handles that data perfectly.

When Is a BAA Required?

Any vendor that handles PHI on behalf of your practice requires a BAA. The list is longer than most practices realize.

Common business associates:

• Cloud-based EHR/EMR vendors
• Practice management software providers
• Medical billing companies and clearinghouses
• IT managed service providers
• Cloud storage providers (if used for PHI)
• Email hosting providers (if used for PHI communications)
• Secure messaging platforms
• Cloud fax services
• Patient scheduling tools
• Answering services and call centers
• Transcription services
• Shredding and document destruction companies
• Payment processors that handle treatment-related details
• Consultants with access to PHI (compliance, coding, billing)

Frequently missed business associates:

• IT managed service providers. If your IT company can access your network, your EHR, or your backups, they are a business associate. This is one of the most common gaps — practices assume IT support is a utility, not a HIPAA-regulated relationship.
• Website hosting providers. If your website includes a patient portal, online intake forms, or any mechanism that collects or transmits PHI, the hosting provider needs a BAA.
• Accounting firms. If your accountant receives billing records that contain patient names, diagnosis codes, or treatment information, they are a business associate.
• Attorneys. If legal counsel receives PHI in the course of representing your practice, a BAA is required.
• HVAC and facility maintenance vendors. If a vendor has unescorted access to areas where PHI is stored or accessible — server rooms, records storage, workstations with open EHR sessions — they may qualify as a business associate under the physical safeguard provisions.

Who does not need a BAA:

• Vendors that never access, handle, or transmit PHI
• Conduits — entities that transport PHI but do not access it (e.g., the postal service, standard internet service providers, courier services)
• Janitorial services with no access to PHI
• Patients themselves

The conduit exception is narrow. If a vendor can reasonably access the content of PHI — even if they do not routinely do so — they are not a conduit. A cloud fax service that processes and stores fax content is a business associate. The phone company that transmits the signal is a conduit.

What Must a BAA Include?

HHS specifies required provisions for business associate agreements under §164.504(e). A compliant BAA must include all of the following:

1. Permitted uses and disclosures. The specific purposes for which the business associate may use or disclose PHI. This should match the actual services the vendor provides — not a generic catch-all.

2. Prohibition on unauthorized use. An explicit statement that the business associate will not use or disclose PHI other than as permitted by the agreement or required by law.

3. Safeguards requirement. The business associate must use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing the requirements of the Security Rule with respect to ePHI.

4. Reporting obligations. The business associate must report any use or disclosure not provided for by the agreement, any security incident, and any breach of unsecured PHI. Breach notification must occur without unreasonable delay and no later than 60 days from discovery.

5. Subcontractor requirements. If the business associate uses subcontractors that will access PHI, it must ensure those subcontractors agree to the same restrictions and conditions — including executing their own BAAs.

6. Access to PHI. The business associate must make PHI available to the covered entity (or directly to individuals) to satisfy patient access rights under §164.524.

7. Amendment of PHI. The business associate must make PHI available for amendment and incorporate amendments when directed by the covered entity.

8. Accounting of disclosures. The business associate must make information available to support the covered entity's obligation to provide an accounting of disclosures under §164.528.

9. Compliance verification. The business associate must make its internal practices, books, and records available to HHS for determining compliance.

10. Termination provisions. The agreement must authorize termination by the covered entity if the business associate violates a material term, and must require the return or destruction of all PHI upon termination.

HHS publishes sample BAA language in its business associate agreement provisions guidance. It is not a fill-in-the-blank template — it is a reference for the minimum required provisions.

The BAA Checklist

Use this checklist to audit and manage your practice's business associate agreements:

1. Inventory every vendor that touches PHI. Walk through every system, service, and relationship in your practice. Include software vendors, service providers, consultants, and any third party with potential access to protected health information. Most practices discover two to five vendors they had not previously considered.

2. Determine which vendors are business associates vs. conduits. For each vendor, ask: does this entity create, receive, maintain, or transmit PHI on our behalf? If yes, they are a business associate. If they merely transport data without accessing its content, they are a conduit. When in doubt, treat them as a business associate.

3. Execute a BAA with each business associate before sharing PHI. The BAA must be signed before the vendor receives any protected health information. Retroactive agreements do not cure the period of noncompliance.

4. Verify the BAA covers the specific services you use. A vendor may have a standard BAA that covers their primary product but not ancillary services — analytics, support, integrations. Confirm that every service involving PHI is explicitly covered.

5. Confirm the BAA includes breach notification timelines. The agreement should specify how quickly the business associate must notify you of a breach. HIPAA allows up to 60 days, but shorter windows (24-48 hours) give your practice more time to respond within your own notification obligations.

6. Confirm subcontractor provisions. If the vendor uses subcontractors who will access PHI, the BAA must require the vendor to execute BAAs with those subcontractors. Ask the vendor directly: who else touches our data?

7. Set up tracking for BAA expiration and renewal dates. Some BAAs have fixed terms. Others auto-renew. Know which is which and calendar the dates. An expired BAA is a missing BAA.

8. Review BAAs annually or when vendor relationships change. If you add new services from an existing vendor, change the scope of work, or the vendor undergoes an acquisition, the BAA should be reviewed and updated.

9. Document the BAA inventory as part of your compliance program. Maintain a centralized log of all business associates, BAA status, execution dates, expiration dates, and the services covered. This documentation is what you produce during an OCR investigation.

10. Have a process for terminating BAAs and ensuring PHI return or destruction. When you end a vendor relationship, the BAA requires the business associate to return or destroy all PHI. Document the request, the vendor's confirmation, and the method of destruction or return.

Common BAA Mistakes

Using a vendor before executing the BAA. This is the most frequent violation. Practices sign up for a new EHR, billing service, or cloud tool and start using it immediately. The BAA gets added to a to-do list and never completed. Every day of use without a signed BAA is a day of noncompliance.

Assuming "HIPAA compliant" means you have a BAA. A vendor's marketing page may claim HIPAA compliance. That does not mean a BAA exists between you and that vendor. Compliance is the vendor's posture. A BAA is a contract between two specific parties. You still need to execute one.

Using generic BAA templates without reviewing the terms. Not all BAAs are created equal. A vendor-provided BAA may limit their liability, extend breach notification timelines to the maximum 60 days, or exclude certain services from coverage. Read the terms. Negotiate where necessary.

Not tracking expiration dates. BAAs with fixed terms expire silently. If your agreement lapsed six months ago and a breach occurs today, OCR will find that you operated without a BAA for six months.

Not updating BAAs when services change. You signed a BAA covering your vendor's billing software. Then you added their patient portal. The portal involves different PHI flows and may not be covered by the original agreement. Any new service involving PHI requires a BAA review.

Not addressing subcontractors. Your business associate uses a cloud hosting provider to store your data. That cloud provider is a subcontractor — and the chain of BAA obligations must extend to them. If it does not, there is a gap in your compliance program.

Real Enforcement: What Happens Without BAAs

OCR has made missing BAAs a priority enforcement target. These are public enforcement actions from the HHS breach portal and resolution agreements:

Raleigh Orthopaedic Clinic, P.A. — $750,000 settlement (2016). OCR investigated and found that Raleigh Orthopaedic provided PHI to a third-party vendor that performed billing and collections services without executing a BAA. The practice had no business associate agreement in place with the vendor despite an ongoing relationship involving access to thousands of patient records.

North Memorial Health Care — $1,550,000 settlement (2016). OCR found that North Memorial failed to execute a BAA with a major contractor that had access to the ePHI of 289,904 patients. The contractor experienced a laptop theft, which triggered the investigation. But the penalty was driven by the missing BAA — a systemic compliance failure that predated the breach.

Care New England — $400,000 settlement (2019). OCR found that Care New England Health System had failed to update and execute compliant BAAs after organizational changes. Outdated agreements that no longer reflected actual business relationships were treated as noncompliant.

The pattern is consistent: OCR does not treat a missing BAA as a minor oversight. It treats it as evidence of a compliance program that is not functioning. The financial penalties reflect that assessment.

How Patient Protect Handles BAAs

BAA lifecycle management is built into the Patient Protect platform. Instead of tracking agreements in spreadsheets or filing cabinets, every step is centralized and automated:

Creation. Generate BAAs from compliant boilerplate language that includes all HHS-required provisions. Customize by vendor and service scope.

Execution. Electronic signature workflow — send, sign, and countersign without printing, scanning, or mailing.

Tracking. Centralized dashboard showing every business associate, BAA status, execution date, and expiration date. Know your compliance posture at a glance.

Expiration alerts. Automated notifications before BAAs expire so renewals happen on schedule — not after the fact.

Termination and PHI disposition. Guided workflows for ending vendor relationships, including documentation of PHI return or destruction.

Audit-ready documentation. Every BAA, every signature, every status change is logged and exportable. When OCR asks for your BAA inventory, you produce it in minutes, not weeks.

Starting at $39/month with no long-term contract. Start your free trial.

Frequently Asked Questions

Do I need a BAA with every vendor?

No — only with vendors that create, receive, maintain, or transmit PHI on your behalf. Your office supply vendor does not need a BAA. Your EHR vendor, billing company, and IT provider do. The determining factor is whether the vendor handles protected health information as part of the services they provide to your practice.

What if a vendor refuses to sign a BAA?

You cannot share PHI with that vendor. This is not a negotiation — it is a regulatory requirement. If a vendor refuses to sign a BAA, you must either find a vendor that will or restructure the relationship so the vendor never accesses PHI. Continuing to use a vendor that refuses a BAA is a HIPAA violation.

Is a verbal agreement sufficient?

No. HIPAA requires BAAs to be documented in writing. A handshake, a verbal promise, or an email exchange does not satisfy the requirement. The agreement must be a written or electronic document with signatures from both parties.

How often should BAAs be renewed?

HIPAA does not specify a renewal frequency. However, BAAs should be reviewed annually as part of your compliance program and updated whenever vendor relationships change — new services, scope changes, acquisitions, or subcontractor modifications. If your BAA has a fixed term, ensure renewal happens before expiration.

Does a BAA protect me from liability?

A BAA defines responsibilities — it does not eliminate your liability as a covered entity. If your business associate causes a breach, the BAA establishes their obligations for notification and remediation. But OCR can still investigate and penalize the covered entity for inadequate oversight, failure to act on known violations, or systemic compliance failures. A BAA is a required safeguard, not a liability shield.

What is the difference between a business associate and a subcontractor?

A business associate performs services directly for a covered entity that involve PHI. A subcontractor performs services for the business associate — not for the practice directly — that involve PHI. Under the Omnibus Rule, subcontractors are held to the same standards as business associates and must have their own BAAs in place. The chain of accountability extends through every entity that handles PHI, regardless of how many layers deep the relationship goes.

---

BAAs are not paperwork for the sake of paperwork. They are the contractual mechanism that extends HIPAA's protections to every vendor in your PHI ecosystem. Missing one is not an oversight OCR overlooks — it is a standalone violation with standalone penalties.

If you are not sure how many of your vendors have signed BAAs, that uncertainty is the problem Patient Protect solves. Start your free trial and see your full BAA status in your first session.