HIPAA BAA Generator
← Back to blog

When Do You Need a Business Associate Agreement?

Determining when you need a BAA can be confusing. Here's a practical guide to help you identify when a Business Associate Agreement is required.


The Simple Test


Ask yourself: "Does this vendor create, receive, maintain, or transmit PHI on my behalf?" If yes, you need a BAA.


Common Business Associate Relationships


Here are the most common scenarios where a BAA is required:


1. **IT service providers** — Companies that host, manage, or have access to systems containing PHI (EHR vendors, managed IT services, cloud hosting providers)

2. **Billing and coding companies** — Third-party billing services that process claims containing patient information

3. **Transcription services** — Companies that transcribe medical dictations

4. **Shredding and disposal companies** — Vendors that destroy physical records containing PHI

5. **Consultants and auditors** — Any consultant who may access PHI during their work

6. **Lawyers and accountants** — When their services involve access to PHI

7. **Data analytics companies** — Firms that analyze patient data for quality improvement or population health

8. **Cloud storage providers** — Any service storing PHI in the cloud (even if encrypted)

9. **Answering services** — Medical answering services that take patient messages

10. **Software vendors** — SaaS tools that process or store PHI


When You DON'T Need a BAA


Not every vendor relationship requires a BAA:


- **Treatment, payment, and healthcare operations between providers** — Covered entities sharing PHI for treatment purposes don't need a BAA with each other (they need other agreements)

- **Conduit exception** — The postal service, phone companies, and internet service providers acting merely as conduits don't require BAAs

- **De-identified data** — If PHI has been properly de-identified per HIPAA standards, no BAA is needed

- **Employees** — Your workforce members are covered under your own HIPAA policies, not BAAs

- **Personal health records** — Consumer apps not offered by a covered entity


The Gray Areas


Some situations are less clear:


- **Janitorial services** — Generally no BAA needed unless they have regular access to PHI

- **Maintenance workers** — Same as above; incidental exposure typically doesn't trigger BAA requirements

- **Patient portal vendors** — Usually yes, since they store and transmit PHI


What Happens Without a BAA?


Operating without a required BAA is itself a HIPAA violation. The OCR has settled cases for millions of dollars where organizations failed to have proper BAAs. In 2018, a health system paid $4.3 million after OCR found they lacked BAAs with several vendors.


Best Practice


When in doubt, get a BAA. It's better to have an unnecessary BAA than to lack a required one. Make BAA review part of your vendor onboarding process and audit existing vendor relationships annually.

Stay HIPAA compliant

Get free guides and updates on HIPAA compliance delivered to your inbox.