News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnerpractice managervendorfront desk

Do we need to sign anything? Business Associate Agreements explained simply

A plain-English look at BAAs, the contracts you need with vendors that touch patient information.

TL;DR

A BAA is a contract that says how a vendor will protect patient information when they work on your behalf. If they handle PHI for you, you almost always need one before the work starts.

Updated 2026-04-21

A Business Associate Agreement (BAA) sounds formal, but think of it as a safety contract: "We are trusting you with patient information, here is how you must protect it, what happens in a breach, and how we end the relationship if needed."

Who needs a BAA?

If a company creates, receives, maintains, or transmits patient information for your practice, not just sells you paperclips, you probably need a BAA.

Common examples: EHR hosting, billing services, cloud storage, IT support with server access, email services that see message content, and many telehealth platforms.

What if we skip it?

You can be out of compliance even if the vendor is great. Regulators expect paperwork that matches reality. Patients also lose clarity about who is responsible if data is mishandled.

How do you get one?

Ask the vendor. Serious healthcare vendors expect this question. They often have a standard BAA ready to sign. Read it, or have counsel read the first one, and keep a copy where you can find it.

Does the vendor's "HIPAA compliant" badge replace a BAA?

No. A badge might describe their controls, but your practice still needs the contract that spells out legal duties.

Want a deeper dive?

Our intelligence article walks through BAAs in more detail for teams negotiating terms: What is a BAA?

Keep reading

Next in your reading path → What HIPAA training does our staff actually need?

Not legal advice. Educational overview only; consult qualified counsel for your situation.