News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

Business Associates

Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement

TL;DR

You need a BAA with any vendor that creates, receives, maintains, or transmits PHI on your behalf. That includes EHR and practice management software, billing companies and clearinghouses, cloud storage (Google Workspace, Microsoft 365, Dropbox, AWS), email services that carry PHI, appointment and telehealth tools, IT support and managed service providers with system access, and professional service firms (legal, accounting) that handle PHI. You generally do not need one for true conduits that only transmit data without storing it, like the postal service, or for vendors that never touch PHI. When in doubt, the test is simple: does this vendor handle PHI on your behalf?

You need a BAA with any vendor that creates, receives, maintains, or transmits PHI on your behalf. That includes EHR and practice management software, billing companies and clearinghouses, cloud storage (Google Workspace, Microsoft 365, Dropbox, AWS), email services that carry PHI, appointment and telehealth tools, IT support and managed service providers with system access, and professional service firms (legal, accounting) that handle PHI. You generally do not need one for true conduits that only transmit data without storing it, like the postal service, or for vendors that never touch PHI. When in doubt, the test is simple: does this vendor handle PHI on your behalf?

Cloud storage, email, EHR software, billing, AI tools, IT support: which of your vendors actually require a HIPAA Business Associate Agreement? A clear, plain-English decision guide with a vendor-by-vendor breakdown.

medcomply.ai editorial teamPublished June 8, 2026Updated June 8, 20266 min read

"Do I need a BAA with this vendor?" is one of the most common questions in healthcare compliance, and one of the most commonly gotten wrong. Practices either sign agreements they do not need, creating busywork, or skip agreements they absolutely need, creating liability. This guide gives you a clear answer.

The one test that resolves most cases

HIPAA defines a business associate as a person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity in the course of performing a function or service for that entity.

45 CFR §160.103

That definition is the entire test. For any vendor, ask:

Does this vendor create, receive, maintain, or transmit PHI on our behalf?

If the answer is yes, you need a signed BAA before any PHI flows to them. If the answer is no, because the vendor never touches PHI, you do not. Everything below is just applying this test to the vendors practices actually use.

Vendors that almost always require a BAA

Electronic health record (EHR) and practice management software. These vendors store and process your patients' data as their core function. A BAA is required. Most EHR vendors include BAA language in their contracts, but you must verify a signed BAA is on file and that it covers your specific implementation. Do not assume coverage exists because the vendor is "a healthcare company."

Billing companies and clearinghouses. They handle claims containing patient information on your behalf. A BAA is required.

Cloud storage and backup providers. If PHI is stored on their servers, they are business associates. This includes Google Cloud and Google Workspace, Microsoft Azure and Microsoft 365, Amazon Web Services, and Dropbox, when used with PHI. All major providers offer BAAs, but with an important catch covered in the next section.

Email services that carry PHI. If your staff routinely sends messages containing PHI through a third-party email service, that provider is a business associate, because copies of those emails remain on the provider's servers. A free consumer email account is never appropriate for PHI.

Appointment, scheduling, telehealth, and patient communication tools. Any platform that handles patient information to send reminders, conduct visits, or communicate with patients is a business associate.

IT support and managed service providers. If your IT vendor or contractor has access to systems that contain ePHI, even if they never intentionally look at patient data, they have access to PHI and need a BAA.

Professional service firms that handle PHI. Legal, accounting, and consulting firms become business associates when their work involves access to patient information. (We covered an accounting firm that learned this the hard way in our piece on the BST and Co. CPAs settlement.)

The cloud and email trap: a BAA alone is not enough

Here is where practices get caught even when they think they are compliant.

When you sign a BAA with a cloud provider like Google or Microsoft, the agreement only covers specific "in-scope" or "eligible" services. PHI is only permitted to flow through those covered services.

The classic failure: a practice signs a BAA with Google for its in-scope Workspace services, then a staff member forwards patient information through a personal Gmail account, or uses a Google service the BAA does not cover. The practice is in violation despite having a BAA in place, because the PHI moved through a channel the agreement never covered.

Two rules follow from this:

First, execute the BAA on the correct paid business or enterprise tier. Free consumer accounts do not come with BAAs and cannot be used for PHI under any circumstances.

Second, confirm which specific services the BAA covers, and ensure your workforce only uses those covered services for PHI. A BAA is a starting point, not a blanket shield.

The conduit exception: a narrow escape hatch, often misapplied

There is a genuine exception for entities that only transmit data without storing it. The postal service and internet service providers are the classic examples: they move information from point A to point B without accessing or retaining it beyond what is transitory.

The trap is assuming your cloud or email provider qualifies. It almost never does. The exception was deliberately narrowed: because cloud providers and email services retain copies of data on their servers, they have persistent access to PHI and are business associates, not conduits. Do not use the conduit exception to justify skipping a BAA with a vendor that stores your data.

The AI tool question

This is a fast-growing source of risk. Public, consumer versions of general AI tools do not sign BAAs. Entering PHI (patient names, diagnoses, appointment details, or anything that could identify an individual in connection with their healthcare) into a consumer AI tool is a HIPAA violation.

Some enterprise or API versions of these products do offer BAAs, but availability is vendor- and product-specific, and the agreement must be reviewed to confirm how patient data is handled, including whether it could be used to train the vendor's models. The safe default: never put PHI into an AI tool unless you have confirmed a BAA is in place and have reviewed exactly how the vendor uses your data.

Vendors that generally do NOT require a BAA

Vendors that never touch PHI. Your office supply company, your landlord, your general marketing agency (as long as it has no access to patient data) are not business associates. Signing BAAs with them creates unnecessary paperwork.

True conduits. The postal service and ISPs moving data without storing it.

Members of your own workforce. Employees are governed by your internal policies and training, not BAAs. (Independent contractors who function like staff are a nuanced case; the question is whether they are part of your workforce or an outside entity.)

Other covered entities sharing PHI for treatment. When you share PHI with another provider for treatment purposes, that is a permitted disclosure between covered entities, not a business associate relationship.

What to do with this

Build a simple vendor inventory. For every vendor your practice uses, write down one thing: does this vendor create, receive, maintain, or transmit PHI on our behalf? For every "yes," confirm a current, signed BAA is on file that covers the actual services you use.

Warning

A missing BAA is a HIPAA violation in its own right, separate from any breach. OCR has penalized organizations specifically for disclosing PHI to vendors without a required BAA, even when no breach occurred. The agreement must be in place before PHI flows to the vendor, not after.

The test for whether you need a BAA is a single question: does this vendor create, receive, maintain, or transmit PHI on your behalf? If yes, get a signed BAA before any PHI flows to them. EHR software, billing companies, cloud storage, email carrying PHI, telehealth tools, IT support with system access, and professional firms handling PHI all require one. The conduit exception is narrow and rarely applies to cloud or email providers. And a BAA with a cloud provider only covers specific in-scope services, so the agreement is a starting point, not a blanket shield.

Sources & citations

  • 45 CFR §160.103 — Definition of Business AssociateOpen
  • HHS — Business Associate ContractsOpen
  • HHS — Guidance on HIPAA & Cloud ComputingOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What is the simple test for whether a vendor needs a BAA?
Ask one question: does this vendor create, receive, maintain, or transmit protected health information (PHI) on your behalf? If yes, you need a signed BAA before any PHI flows to them. If the vendor never touches PHI, you do not need one. This single test, drawn directly from the HIPAA definition of a business associate, resolves most cases.
Do I need a BAA with Google Workspace or Microsoft 365?
Yes, if your practice uses them to create, store, or transmit PHI. Both Google and Microsoft offer BAAs for their paid business and enterprise tiers, but the BAA only covers specific 'in-scope' or 'eligible' services. You must execute the BAA and confirm which services it covers. A free consumer Gmail or personal Outlook account is not covered and must never be used for PHI.
Does an EHR or practice management vendor automatically have a BAA?
Do not assume so. Most major EHR vendors include BAA language in their standard contracts, but you must verify that a signed BAA is actually on file, that it covers the specific services and data flows in your implementation, and that it has been updated to reflect any service or subcontractor changes since signing. 'They're an EHR vendor, so we must be covered' is not a safe assumption in an OCR investigation.
Do I need a BAA with a vendor that only transmits data and never stores it?
Generally no, under the 'conduit exception.' This narrow exception covers entities that only transport data without accessing or storing it beyond what is transitory, like the postal service or an internet service provider moving packets. The exception is narrow: most cloud and email providers retain copies of data on their servers, which makes them business associates, not conduits. Do not over-rely on the conduit exception.
Do I need a BAA with an AI tool like ChatGPT?
Public consumer versions of general AI tools do not sign BAAs, and entering PHI into them is a HIPAA violation. Some enterprise or API versions of these products do offer BAAs, but availability is vendor- and product-specific, and the agreement must be reviewed to confirm how patient data is handled, including whether it is used for model training. Never input PHI into a consumer AI tool.
What happens if I don't have a required BAA?
Disclosing PHI to a vendor without a required BAA is itself a HIPAA violation, separate from any breach. OCR has imposed penalties specifically for missing BAAs, even when no breach occurred. If a breach happens involving a vendor you had no BAA with, you face liability for both the missing agreement and the breach.

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.