If you work in healthcare long enough, you’ll eventually hear someone say, “We’re HIPAA compliant—our vendor said so.” Then you ask a simple follow-up question:

“Do you have a signed Business Associate Agreement (BAA) with them?”

That one document (or lack of it) is where a lot of organizations get exposed—especially now that cloud platforms, remote workforce tools, and AI-powered services touch protected health information (PHI) in more ways than ever.

This post breaks down what a BAA is, who needs one, when you don’t need one, and what to look for so you’re not relying on wishful thinking when OCR comes knocking.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement (BAA) is a written contract required under HIPAA that sets the rules for how a vendor (a business associate) can use, protect, and disclose PHI it handles on behalf of a covered entity (or another business associate).

HIPAA allows covered entities (like providers and health plans) to share PHI with outside companies only if the covered entity gets “satisfactory assurances” that the vendor will safeguard the information—and the primary way you document those assurances is through a BAA.

Think of a BAA as the “rules of the road” for PHI:

  • what the vendor is allowed to do with PHI,
  • what safeguards they must implement,
  • how breaches are handled,
  • and how responsibility flows downstream to subcontractors.

Quick HIPAA roles refresher: Covered Entity vs Business Associate

Covered entities (CEs)

HIPAA applies directly to:

  • Health plans
  • Healthcare clearinghouses
  • Healthcare providers who transmit health information electronically in certain transactions (billing, eligibility checks, etc.)

Business associates (BAs)

A business associate is generally a person or company (not your employee) that creates, receives, maintains, or transmits PHI for a covered entity—or provides certain services where PHI is involved (like billing, consulting, legal, or data analytics).

Also important: subcontractors of a business associate can themselves become business associates if they touch PHI in the chain.

So who needs a BAA?

Here’s the practical rule:

You likely need a BAA when a vendor touches PHI on your behalf.

That includes when they:

  • store it,
  • process it,
  • view it,
  • transmit it,
  • analyze it,
  • back it up,
  • or provide support access to systems containing it.

HIPAA is explicit that covered entities and business associates generally must have contracts in place with business associates to ensure appropriate safeguarding of PHI.

Common vendors that typically require a BAA

This is where most organizations get surprised:

1) Cloud providers and hosting
If a cloud service provider (CSP) creates/receives/maintains/transmits ePHI, they are a business associate—and a BAA is required. This is true even if the CSP only stores encrypted ePHI and doesn’t hold your encryption key.

2) Email, storage, and collaboration tools
If your staff uses a platform to store or communicate PHI (email, file storage, chat, eFax), you’re typically in BAA territory.

3) Billing, revenue cycle, and collections
Claims processing, billing support, clearinghouses, reimbursement analytics—these are classic BAA scenarios.

4) IT managed service providers (MSPs) and cybersecurity vendors
If your IT provider has admin access to systems containing ePHI, that is usually PHI access “on your behalf,” which commonly triggers a BAA.

5) EHR/EMR vendors and patient engagement platforms
Appointment reminders, patient portals, intake tools, telehealth platforms, remote monitoring services—if PHI is involved, assume you need to evaluate for a BAA.

6) Data analytics, QA, utilization review, and population health
HIPAA’s business associate definition specifically includes activities like data analysis, quality assurance, and utilization review when PHI is involved.

7) AI vendors and “smart” tools
If an AI tool touches PHI—uploads, summarizes, transcribes, extracts, or trains on it—you’re not just thinking “cool feature.” You’re thinking:

  • Do they qualify as a BA?
  • Do they offer a BAA?
  • Do they use PHI for their own purposes?
  • Do they have subcontractors?

When you don’t need a BAA (common exceptions)

Not every vendor needs a BAA. Some relationships are outside BAA scope.

1) Treatment disclosures to another provider

A provider you share PHI with for treatment is usually not a business associate relationship (it’s a treatment disclosure).

2) Conduit exception (narrow)

Some services act like a “pipeline” that transmits information without storing it (think certain telecom-type services). This exception is narrow and often misunderstood; many modern “communication tools” store messages, logs, and attachments—pushing them out of conduit territory.

3) Vendors with no PHI access

If a vendor provides services and does not create/receive/maintain/transmit PHI (and cannot access it), a BAA may not be required. But be careful: “we don’t look at PHI” is not the same as “we can’t access PHI.”

Why BAAs matter more now: cloud + AI changed the risk model

Ten years ago, lots of vendors were “offsite support” or “billing company.” Today, your PHI ecosystem can include:

  • cloud storage,
  • managed databases,
  • logging/monitoring tools,
  • data warehouses,
  • transcription AI,
  • call-center analytics,
  • marketing automation,
  • patient messaging APIs,
  • and outsourced IT that can remote into everything.

OCR guidance is clear that cloud providers are business associates when they handle ePHI—and you must have a HIPAA-compliant BAA in place.

AI adds a second layer of complexity: your vendor might be using additional subprocessors (LLM providers, vector databases, transcription engines). That downstream chain creates more points of exposure—and more contracts you need to confirm exist.

The “real world” BAA failure modes I see most often

Here are the patterns that show up again and again:

1) “We signed something… years ago.”

BAAs go stale. Vendors change their products, add AI features, change subprocessors, move infrastructure, revise breach notification timelines, or update permitted uses. If your BAA doesn’t match today’s reality, you’re exposed.

2) “The vendor has a BAA template online, so we’re good.”

A template is not an executed agreement. You need:

  • the signed version,
  • the correct legal entity,
  • the correct services covered,
  • and the correct version date.

3) “Our vendor says they’re HIPAA compliant, so we don’t need a BAA.”

HIPAA doesn’t work like that. If they are a business associate, the BAA is part of compliance.

4) “We have a BAA with the main vendor, but not the subcontractors.”

HIPAA expects the chain to be covered. Subcontractors that handle PHI on behalf of a BA also qualify as business associates.

5) “We use the tool for scheduling only.”

Scheduling data can still be PHI depending on context (patient name + appointment type + clinic specialty can reveal medical information). The safe assumption is: evaluate the data fields and workflow instead of relying on marketing descriptions.

What should a BAA include (at minimum)?

HIPAA lays out required elements for business associate contracts, including that they must establish permitted uses/disclosures and require the BA to safeguard PHI.

In practical terms, your BAA should clearly address:

  • Permitted uses and disclosures: What exactly is the BA allowed to do with PHI?
  • Safeguards: Administrative, physical, and technical safeguards for ePHI (and policies for PHI generally).
  • Breach/incident reporting: Who reports, how fast, what details are required, and how you coordinate notifications.
  • Subcontractors: The BA must ensure downstream vendors follow the same restrictions.
  • Return/destroy PHI: What happens at termination—return, destroy, retention limits.
  • Audit/inspection language: Reasonable rights to verify compliance expectations (even if limited).
  • Clear definition of PHI/ePHI scope: What systems, data types, and services are included.

Even if your legal team owns the exact language, your compliance team should own the operational reality: does the contract match what the vendor is actually doing?

“But we’re small—does this really apply to us?”

Yes. HIPAA doesn’t have a “small business” exemption for BAAs.

Small practices are often more exposed because they rely heavily on outsourced vendors and cloud tools, and the BAA paperwork tends to lag behind the reality of the tech stack.

And as vendor ecosystems get more complex—especially with AI services added quietly in product updates—your risk increases unless you’re actively managing BAAs.

A quote from Carl B. Johnson (and why it’s blunt on purpose)

As Carl B. Johnson often puts it:

“One of the biggest risks—besides not training your healthcare staff—is not having updated BAAs for your vendors. It’s not an option. It’s a requirement.”

That’s the truth in plain English:

  • training reduces human error,
  • BAAs reduce vendor ambiguity,
  • and both are foundational controls, not “nice-to-haves.”

Practical next steps: a simple BAA inventory process you can start today

If you want a clean, audit-ready approach without overcomplicating it:

  1. List every vendor that touches systems containing PHI
    Include IT support, cloud hosting, email/storage, EHR add-ons, billing, analytics, call center tools, and AI services.
  2. Mark which ones create/receive/maintain/transmit PHI
    If yes → they’re likely a BA scenario.
  3. Collect executed BAAs
    Not templates. Not sales emails. Signed agreements.
  4. Verify scope + subprocessors
    Does the BAA cover the product you actually use today? Any AI features? Any subprocessors?
  5. Set a review cadence
    At least annually—or whenever you change vendors, add features, migrate systems, or adopt AI workflows.

If you’re tracking toward stronger security expectations (and the broader industry is), vendor oversight and risk management are moving higher on the priority list.

Final thought

BAAs are not exciting. They’re not trendy. They don’t feel like “security.”

But they’re one of the clearest lines in HIPAA compliance between:

  • “we assumed the vendor would do the right thing,” and
  • “we documented the rules, assigned responsibility, and required safeguards.”

And in a world where PHI touches cloud services and AI pipelines constantly, that clarity matters.

Call to action

If you want to simplify and streamline the BAA process (especially keeping up with vendors, updates, and documentation), use our : Business Associate Agreement Generator