HIPAA BAA Requirements for Healthcare Staffing Agencies
By BAA Generator Editorial · Updated Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Healthcare staffing agencies are typically business associates to the hospitals and practices they serve — sign a BAA before placing workers who access PHI
- ✓ Staffing agencies also need BAAs with their own vendors: ATS platforms, background check services, credentialing tools, and payroll vendors
- ✓ Health screening data and immunization records for candidates may constitute PHI requiring BAA protection
- ✓ Travel nurse and travel allied health agencies face the same dual BAA obligations as permanent placement firms
Healthcare staffing agencies occupy a unique position in the HIPAA compliance landscape: they operate as business associates to their healthcare provider clients, and they simultaneously have their own vendor relationships that may require BAAs. Understanding this dual role is essential for staffing firms to maintain compliance — and for the hospitals and practices that contract with them to meet their own obligations.
The Dual BAA Role of Healthcare Staffing Agencies
A healthcare staffing agency's compliance picture has two distinct components:
Role 1: Staffing Agency as Business Associate
When a staffing agency places clinical workers — nurses, physicians, physical therapists, medical coders, or other allied health professionals — with HIPAA covered entities, those placed workers often access patient PHI in the course of their duties. The staffing agency is enabling this access on behalf of the covered entity, making the agency a business associate.
The covered entity (the hospital or clinic) should require a signed BAA from the staffing agency before placing workers who will access patient records. The BAA obligates the staffing agency to ensure that placed workers are trained on HIPAA requirements, to report any security incidents involving PHI, and to return or destroy PHI when the staffing relationship ends.
Role 2: Staffing Agency's Own Vendors
Healthcare staffing agencies also generate their own health-related data — specifically, applicant and worker health screening records. These may include immunization records, tuberculosis tests, drug screening results, physical examination data, and health history information required for clinical placement. When vendors process this data on behalf of the staffing agency, they may be handling PHI that requires BAA protection.
What Health-Related Data Staffing Agencies Handle
Healthcare staffing agencies collect and maintain a range of health-related information:
- Immunization and vaccination records (hepatitis B, influenza, MMR, varicella, COVID-19)
- TB test results and respiratory clearance documentation
- Drug and alcohol screening results
- Physical examination and fitness-for-duty records
- Background check results including criminal history
- License and credential verification records
The HIPAA implications of this data are nuanced. Health information about employees and job applicants is generally not PHI under HIPAA — HIPAA covers PHI in the context of healthcare providers, health plans, and clearinghouses, not employment. However, when a staffing agency is providing services to a covered entity and the health screening data relates to the placement relationship, careful analysis is needed. Some covered entity clients contractually require BAAs for all health-related data their staffing vendors handle.
Vendors Healthcare Staffing Agencies Typically Need BAAs With
Credentialing Platforms
Credentialing verification organizations (CVOs) and credentialing management platforms — VerityStream, Provider Trust, Symplr, and Modio Health — verify and track clinical licenses, certifications, and health compliance requirements. When these platforms store health screening data (immunizations, TB tests) alongside credential information, they may be handling data that the staffing agency's covered entity clients consider PHI. Enterprise credentialing platforms generally offer HIPAA BAAs; confirm BAA availability before sharing health-related candidate records.
Background Check and Occupational Health Vendors
Background check companies that include drug testing, physical examination, or health history components handle health information for candidates. Occupational health clinics that conduct pre-employment physicals and immunization verification for the staffing agency are handling health records. Evaluate BAA requirements for these vendors based on the type of data being processed and the requirements of the covered entity clients you serve.
Applicant Tracking Systems
ATS platforms that store clinical candidate profiles — including health screening status, immunization records, and fitness-for-duty clearances — should be evaluated for BAA requirements. Enterprise ATS platforms used by large staffing firms generally offer HIPAA-compliant configurations and BAAs for clients handling health-related candidate data.
Payroll Vendors with Health Benefit Data
Payroll and HR platforms that handle health insurance enrollment, workers' compensation claims, or leave records for the staffing agency's own employees may hold PHI if those employees have health conditions documented in the system. This is distinct from the placement-related health data discussed above and is subject to the same analysis applied to any employer's health benefit records.
Common Vendor BAA Table for Healthcare Staffing
| Vendor Type | Example Vendors | BAA Required? |
|---|---|---|
| Hospital / covered entity client | Hospitals, health systems, practices | Yes (staffing agency signs as BA) |
| Credentialing platform | VerityStream, Provider Trust, Symplr | Yes (if health data is stored) |
| Background check vendor | HireRight, Sterling, First Advantage | Evaluate (if health screening included) |
| Applicant tracking system | Bullhorn, Salesforce Health Cloud configs | Evaluate (if health data is stored) |
| Occupational health clinic | Local occupational medicine providers | Yes (if acting as BA for health records) |
| Payroll / HR platform | ADP, Paylocity, Workday | Evaluate (if health benefit data is processed) |
Common Compliance Gaps for Staffing Agencies
The most frequent compliance issues for healthcare staffing agencies: (1) not executing a BAA with covered entity clients before placing workers who access patient records, leaving both parties exposed; (2) using credentialing platforms that store health screening data without evaluating BAA requirements; (3) applying consumer-grade productivity tools to candidate management workflows that include health records; and (4) not updating BAAs when the staffing relationship expands to include new covered entity clients or new types of services.
For guidance on subcontractor BAA obligations — which mirror the staffing agency's dual role — see our post on subcontractor BAAs under HIPAA. For a foundational overview of when BAAs are required, see what is a Business Associate Agreement.
Frequently Asked Questions
Does a healthcare staffing agency need to sign a BAA with hospitals?
Yes. When a staffing agency places clinical workers who access patient PHI, the agency is typically a business associate of the covered entity. The hospital should require a signed BAA from the staffing firm before placement begins. The BAA obligates the agency to ensure placed workers receive HIPAA training and to report security incidents involving PHI.
Do healthcare staffing agencies need BAAs with their own vendors?
Yes, for vendors that process health-related data on behalf of the agency. Credentialing platforms storing immunization and health screening records, background check vendors with drug testing data, and applicant tracking systems holding health compliance records should all be evaluated for BAA requirements. The analysis depends on whether the data constitutes PHI in context.
Does a travel nurse agency need HIPAA BAAs?
Yes, in both directions. Travel nurse agencies should sign BAAs with the healthcare facilities they serve, because placed nurses access patient PHI. The agencies also need BAAs with their own vendors — credentialing platforms, immunization tracking systems, background check services — that handle health-related candidate data. The travel nature of the placement doesn't change the underlying compliance obligations.
What credentialing platforms for staffing agencies sign BAAs?
VerityStream, Provider Trust, and Symplr are among the leading credentialing platforms that offer HIPAA BAAs for healthcare staffing firms. These platforms are designed for the credentialing workflows of staffing agencies and health systems. Contact the vendor's compliance or enterprise sales team to initiate BAA execution before sharing health-related candidate records.
Generate a BAA for your healthcare staffing agency
Create a HIPAA-compliant Business Associate Agreement for your vendors — free to start, no subscription required.
Generate Your BAA Free →