When is a HIPAA business associate agreement required?

A BAA is required under 45 CFR § 164.502(e) whenever a covered entity engages a person or organization that creates, receives, maintains, or transmits protected health information on its behalf. This includes EHR vendors, cloud hosting providers, billing companies, IT service providers, shredding companies, and any other vendor that handles PHI as part of their service. If they touch PHI, you need a BAA.

What must a HIPAA business associate agreement include?

Under 45 CFR § 164.504(e)(2), a BAA must specify the permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, require reporting of security incidents and breaches, ensure any subcontractors agree to the same restrictions, make PHI available to individuals exercising their access rights, make records available to HHS for compliance investigations, require return or destruction of PHI at termination, and authorize the covered entity to terminate the agreement if the BA violates its terms.

Is a covered entity liable if a business associate causes a breach?

It depends. If you have a compliant BAA in place and did not know (and had no reason to know) about the business associate's non-compliance, you are generally not liable for their actions. However, if you knew about a pattern of non-compliance and did not take reasonable steps to address it — or if you never had a BAA at all — you can face penalties for your own HIPAA violation. OCR has imposed fines on covered entities specifically for failing to have BAAs in place.

April 8, 2026·9 min read

HIPAA Business Associate Agreements: Who Needs One and What to Include

Every vendor that handles PHI on your behalf needs a business associate agreement. That requirement has been in HIPAA since 2003 and was strengthened by the HITECH Act in 2009. Yet missing or incomplete BAAs remain one of the most common findings in OCR investigations and audits.

What is a business associate?

Under 45 CFR § 160.103, a business associate is any person or organization — other than a member of your workforce — that creates, receives, maintains, or transmits protected health information on behalf of a covered entity, or that provides certain services to a covered entity involving the disclosure of PHI.

In practice, that includes:

EHR and practice management software vendors
Cloud hosting and storage providers (AWS, Azure, Google Cloud)
Medical billing and coding companies
IT managed service providers
Document shredding and disposal services
Accountants and attorneys who receive PHI
Answering services that take patient messages
Transcription services
Health information exchanges

The list is longer than most practices expect. If you are unsure whether a vendor qualifies, ask one question: does this vendor have access to, or could they reasonably encounter, PHI as part of the service they provide? If yes, they are likely a business associate.

Who does not need a BAA?

Not every vendor relationship requires one. The regulation carves out several categories:

Conduits.Entities that transport PHI but do not access it (the postal service, internet service providers, telephone companies). The "conduit exception" applies when the vendor's access to PHI is transient and incidental.
Other covered entities receiving treatment-related disclosures. If you send a referral to another physician, you do not need a BAA with them. They are a covered entity in their own right and subject to HIPAA independently.
Patients themselves. When a patient authorizes you to send their records to a third party, that third party is not your business associate.

The gray areas usually involve technology vendors. A cloud email provider that stores your messages? Probably a business associate if those messages contain PHI. A janitorial company that cleans your office? Generally not, unless they have access to areas where PHI is stored and could reasonably access it.

What the BAA must contain

The required provisions are spelled out in 45 CFR § 164.504(e)(2). A compliant BAA must include:

Permitted and required uses.The BAA must specify what the business associate is allowed to do with PHI and what they are required to do. Open-ended language like "BA may use PHI for any purpose related to the services" is too broad.
Safeguard requirements. The BA must agree to implement appropriate safeguards to prevent unauthorized use or disclosure. Since the HITECH Act, BAs are directly subject to the Security Rule, so this is not just contractual — it is regulatory.
Breach and incident reporting.The BA must report any security incident or breach to the covered entity. The regulation says "without unreasonable delay." Many practices negotiate specific timelines — 10 days, 5 days, 72 hours — because 60 days of silence after a breach affecting your patients is not acceptable even if it is technically compliant.
Subcontractor requirements. If the BA uses subcontractors who will access PHI, the BA must ensure those subcontractors agree to the same restrictions and conditions. This means subcontractor BAAs.
Individual access rights. The BA must make PHI available to the covered entity (or directly to individuals) to satisfy access requests under 45 CFR § 164.524.
Amendment rights. The BA must make PHI available for amendment and incorporate amendments when directed.
Accounting of disclosures. The BA must make information available for the covered entity to fulfill accounting of disclosures requests.
HHS access. The BA must make its practices, records, and books available to HHS for compliance determinations.
Return or destruction. At termination, the BA must return or destroy all PHI. If that is not feasible, the BAA must explain why and extend protections indefinitely.
Termination rights. The covered entity must be able to terminate the agreement if the BA violates a material term.

Common mistakes

1. Vendors without BAAs

This is the most straightforward violation and one of the most commonly penalized. In 2023, OCR settled with a dental practice for $50,000 specifically because it used a cloud-based storage service for patient records without a BAA. The practice had fewer than 10 employees. Size does not matter for this requirement.

The fix is an inventory. List every vendor. Determine which ones handle PHI. Confirm you have a signed BAA for each. If you find gaps, close them immediately — either by signing a BAA or by stopping the use of that vendor for PHI-related services.

2. BAAs without breach notification clauses

Some BAAs — particularly older ones drafted before the HITECH Omnibus Rule took effect in 2013 — lack adequate breach notification language. If your BAA does not require the business associate to notify you of breaches within a specific timeframe, you could discover a breach affecting your patients months after it happened. By then, your own 60-day notification clock under 45 CFR § 164.404 may have already expired.

3. Signing the vendor's template without review

Most large vendors (Microsoft, Google, Amazon) offer standard BAAs. These are generally compliant, but they are written to protect the vendor. They may include broad permitted uses, minimal breach notification timelines, and limitations on liability. Read them. Know what you are agreeing to. Negotiate where you can, especially on breach notification timelines.

4. No process for tracking or renewing BAAs

A BAA signed in 2018 may not reflect your current relationship with that vendor, changes in regulations, or changes in what PHI the vendor handles. BAAs should be reviewed when you renew vendor contracts, when your use of the vendor changes, and when regulations are updated. Without a tracking system, BAAs expire, fall out of date, or get lost.

Managing BAAs at scale

A typical healthcare practice with 5–20 employees may have 15–30 business associate relationships. A multi-location practice or health system can have hundreds. Managing this manually — tracking expiration dates, ensuring all required provisions are present, following up on missing agreements — breaks down quickly.

What works is a centralized inventory with four fields per vendor: vendor name, whether a BAA is in place, the date it was last reviewed, and the breach notification timeline it specifies. Update it whenever you onboard a new vendor or renew an existing contract. Run a gap check quarterly.

For definitions of key terms like business associate, covered entity, and subcontractor, see the compliance glossary.

What happens when a BA relationship goes wrong

If you learn that a business associate has violated a material term of the BAA — for example, they suffered a breach and failed to notify you — you are required to take reasonable steps to cure the violation. If the violation cannot be cured, you must terminate the agreement. If termination is not feasible (for example, you have no alternative vendor), you must report the problem to HHS.

You cannot simply ignore known violations. Under 45 CFR § 164.504(e)(1)(ii), a covered entity that knows of a "pattern of activity or practice" constituting a material breach by a BA — and does not act — is itself in violation. This is how a vendor's problem becomes your problem.

How BlackSheep helps

BlackSheep's HIPAA compliance platform includes a vendor management module that tracks your business associate inventory, flags missing or expired BAAs, and stores signed agreements with version history. When you add a new vendor, the platform walks you through the BAA checklist so nothing gets skipped.

Know which vendors have BAAs and which ones do not.

Track your BAAs with BlackSheep