What to Do If You Discover a Missing HIPAA BAA

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  5 min read

Discovering that a vendor has been handling PHI without a signed BAA is a compliance gap that requires immediate, systematic action. Understanding what a BAA is required to do clarifies why the gap is a violation and what needs to happen to remediate it.

Is a Missing BAA a HIPAA Violation?

Yes. Under 45 CFR § 164.502(e), a covered entity may not disclose PHI to a business associate unless the covered entity obtains satisfactory assurances in the form of a written BAA. Under 45 CFR § 164.504(e), both covered entities and business associates have specific BAA obligations.

The violation is not a future risk — it is an existing violation that began on the date PHI was first shared without a BAA in place. Each day the violation continues without remediation can be counted as a separate violation for penalty purposes. OCR has discretion on how to count violations, but documented willful neglect — continuing to share PHI after being aware a BAA was missing — falls into the highest penalty tiers.

The good news: OCR's enforcement priority in self-disclosed cases is typically corrective action, not financial penalties. Organizations that discover a BAA gap, remediate it promptly, and document their response are generally treated more favorably than organizations whose gaps are discovered through complaints or breach investigations.

Immediate Steps When You Find a BAA Gap

Work through these steps in order:

1. Stop sharing new PHI with the vendor — immediately suspend any ongoing PHI transfers or access until a BAA is in place
2. Determine the scope of the gap — identify: which vendor, what PHI types were involved, approximately how much PHI, and how long the gap existed (first date of PHI sharing to today)
3. Assess whether this vendor is a required business associate — confirm the vendor actually performs a function requiring a BAA (not all vendor relationships require one — see when a BAA is required)
4. Contact the vendor to execute a BAA — initiate the process to get a proper BAA signed with today's date. Do not agree to backdate — see our guide on why backdating a BAA is problematic
5. Document the gap — record in your compliance files: the vendor name, the PHI involved, the date the gap was discovered, the date the BAA was executed, and what happened during the gap period
6. Conduct a breach risk assessment — evaluate whether the PHI disclosure during the gap period constitutes a reportable breach under 45 CFR § 164.400
7. Implement preventive measures — update your vendor onboarding process to require BAA execution before any PHI access; consider a BAA tracking log if you don't have one

Can You Retroactively Fix a Missing BAA?

You can — and should — execute a BAA with today's actual date as soon as possible. A prospective BAA does not retroactively cure the violation that occurred during the gap period, but it does stop the ongoing violation from continuing.

Some vendors will suggest backdating the BAA to the date services began, to make it appear the BAA was always in place. This is legally and ethically problematic. A backdated BAA creates a false record, does not actually cure the gap, and adds document falsification risk on top of the original HIPAA issue. Execute the BAA with the current date and document the gap accurately in your compliance records.

Does a Missing BAA Require Breach Notification?

A missing BAA is a HIPAA Privacy Rule violation — it is not automatically a "breach" under the Breach Notification Rule. The breach analysis is separate.

Under 45 CFR § 164.402, a "breach" is an impermissible acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI. The disclosure to an unauthorized business associate (one without a BAA) is potentially an impermissible disclosure. However, under the risk assessment framework at 45 CFR § 164.402(2), the disclosure is not a breach if you can demonstrate a low probability that the PHI was compromised, based on four factors:

• The nature and extent of the PHI involved (types and amount)
• The identity of the unauthorized person who used or received the PHI
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated

If the vendor in question was performing a legitimate service and the only problem was the missing paperwork — not actual misuse or unauthorized access to PHI — a risk assessment documenting this may support a finding that no breach notification is required. However, this analysis must be documented and defensible. Consult counsel if the volume of PHI is large or the circumstances are uncertain.

Self-Disclosure vs. OCR Investigation

OCR has a voluntary disclosure process. Self-disclosing a BAA gap, combined with documented remediation, generally results in a corrective action plan rather than financial penalties. The factors OCR weighs include: how quickly you discovered and corrected the gap, whether any actual PHI harm occurred, the size of the organization, and whether the organization has a functioning compliance program.

There is no regulatory obligation to self-disclose a BAA gap as distinct from a breach — but if the gap analysis determines a breach occurred, breach notification obligations apply independently. Consult HIPAA counsel before making self-disclosure decisions in complex situations.

Frequently Asked Questions

Is operating without a BAA a HIPAA violation?

Yes. Sharing PHI with a business associate without a signed BAA violates 45 CFR § 164.502(e) and § 164.504(e). The violation begins on the date PHI is first shared and continues until a BAA is in place. Both the covered entity and the business associate can be held liable.

What are the penalties for a missing BAA?

At the Tier 2 level (reasonable cause), OCR can impose $1,424–$71,162 per violation. For willful neglect that is not corrected, $71,162–$1,919,173 per year per violation category. In practice, self-reported cases with prompt remediation typically result in corrective action rather than financial penalties, though this is OCR's discretion, not a guarantee.

Do I need to report a discovered BAA gap to OCR?

A BAA gap is a Privacy Rule violation, not automatically a reportable breach. If your breach risk assessment determines the disclosure during the gap period constitutes a breach under 45 CFR § 164.400, then breach notification requirements apply. The BAA gap itself does not have a mandatory OCR self-disclosure requirement, though voluntary disclosure combined with remediation is often the most prudent approach for significant gaps.