HIPAA Business Associate Agreement for DSOs
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ DSO corporate entities are HIPAA business associates; affiliated dental practices are covered entities
- ✓ Group-level vendor contracts must include BAA provisions covering all affiliated practices' PHI
- ✓ The DSO should have an internal BAA or similar agreement with each affiliated practice
- ✓ Analytics and BI tools receiving patient-level data at the group level require BAAs
Dental Service Organizations operate in a legally complex HIPAA environment. The DSO parent entity — which provides management, administrative, and infrastructure services to its affiliated dental practices — is not itself a healthcare provider providing patient care. But it creates, receives, maintains, and transmits PHI as part of those management functions, making it a business associate of its own affiliated practices. This unusual structure — where the parent is a BA of its subsidiaries — creates specific BAA obligations that differ from both standard covered entity and standard business associate frameworks.
The DSO BAA Structure
Here is the three-tier structure that governs DSO HIPAA compliance:
Tier 1: Affiliated Dental Practices (Covered Entities)
Each dental practice within the DSO group is a covered entity — it provides care to patients and transmits health information electronically in connection with insurance claims. The practice has HIPAA's full Privacy Rule, Security Rule, and Breach Notification Rule obligations.
Tier 2: DSO Corporate Entity (Business Associate)
The DSO parent — which manages payroll, HR, marketing, EHR contracts, billing, and IT on behalf of affiliated practices — handles PHI as part of these services. This makes the DSO a business associate of the affiliated practices it serves. An internal BAA (sometimes called a management services agreement with embedded BAA terms, or a separate BAA) should document this relationship. Under 45 CFR § 164.504(e), this agreement must meet all required BAA elements.
Tier 3: Vendors (Sub-Business Associates)
Vendors the DSO contracts with at the group level — EHR systems, billing companies, IT infrastructure, analytics platforms — become sub-business associates when their services involve PHI from affiliated practices. Group-level vendor contracts must include BAA provisions that cover the PHI of each affiliated practice.
Group-Level Vendor BAA Considerations
EHR and Practice Management Platforms
When a DSO negotiates a single EHR agreement (Dentrix Enterprise, Eaglesoft, Carestream Dental, or others) covering all affiliated practices, the BAA must be structured to cover PHI from each practice. Some EHR vendors provide a single enterprise BAA for the DSO group; others require individual BAAs with each practice entity. Work with your EHR vendor's legal team to confirm the coverage scope.
Centralized Billing and RCM
DSOs often centralize billing operations to reduce costs. The centralized billing company or RCM vendor that processes claims for all affiliated practices must have BAA coverage for each practice's PHI. If the DSO negotiates the billing contract at the group level, the BAA must identify or adequately cover each affiliated practice. See our guide on when a HIPAA BAA is required for the decision framework.
Group IT Infrastructure
IT managed service providers with access to systems containing patient records from multiple affiliated practices are business associates. Group-level IT contracts should include BAA provisions that cover all practices in the DSO's portfolio. As practices are acquired, ensure the new practice's systems and data are brought under the DSO's existing BAA framework.
Analytics and Business Intelligence
DSOs frequently deploy business intelligence platforms (Tableau, Power BI, custom data warehouses) to analyze clinical and financial performance across the practice portfolio. If these platforms receive patient-level PHI — even aggregated — the vendor requires a BAA. Many enterprise BI platforms offer BAAs; confirm availability and scope before connecting PHI to group analytics tools. See our checklist on whether your vendor signs BAAs.
HR Systems
HR systems that manage employee health benefits may receive employee health information (not patient PHI, but a related privacy concern). If HR systems also receive information that links employees to patient scheduling in a way that reveals patient data, BAA coverage may be warranted. Review with your HR platform vendor.
| Relationship | HIPAA Status | BAA Needed? |
|---|---|---|
| Affiliated dental practice → patients | Practice is covered entity | N/A (patient relationship) |
| Affiliated practice → DSO | DSO is business associate | Yes — internal BAA required |
| DSO → EHR vendor | EHR vendor is sub-BA | Yes — group-level BAA covering all practices |
| DSO → Billing company | Billing company is sub-BA | Yes — must cover all affiliated practices |
| DSO → Analytics platform | Analytics platform is sub-BA (if PHI accessed) | Yes (if patient-level PHI) |
| DSO → IT MSP | IT MSP is sub-BA | Yes |
Generate a BAA for your DSO
Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.
Generate BAA for Free →Frequently Asked Questions
Is a DSO a covered entity or business associate?
In the typical structure, the DSO corporate entity is a business associate and the affiliated dental practices are covered entities. The DSO handles PHI on behalf of its affiliated practices (covered entities) as part of providing management services, creating a business associate relationship governed by 45 CFR § 164.504(e).
Who signs BAAs for DSO-affiliated practices?
It depends on the DSO's legal structure. When the DSO negotiates vendor contracts at the group level, the vendor BAA must adequately cover PHI from all affiliated practices. Some DSOs use a single enterprise BAA for the group; others require individual practice-level BAAs with certain vendors. Consult legal counsel to determine the appropriate approach for your specific DSO structure.
How should a DSO structure its vendor BAA agreements?
A DSO should establish an internal BAA framework with each affiliated practice, ensure group-level vendor contracts include BAA provisions covering all affiliated practices' PHI, document which entity (DSO vs. individual practice) is party to each vendor BAA, and review the structure when practices are acquired or divested. Legal counsel specializing in health law should be involved in structuring this framework.
Do DSO analytics and BI tools require BAAs?
Yes, if those tools receive or process patient-level PHI. Group-level analytics platforms connecting to practice data that includes patient identifiers are handling PHI from multiple covered entities. Enterprise BI platforms like Tableau and Power BI offer BAAs at enterprise tiers — confirm availability and scope before connecting any practice PHI to group-level analytics tools.