Does Your Cleaning Company Need a BAA?
By BAA Generator Research Team · Published Jul 15, 2026 · Last reviewed Jul 15, 2026 · 6 min read
Key Takeaways
- ✓ Routine janitorial work is not a business-associate activity, so a BAA is usually not required
- ✓ HHS FAQ #243 names janitorial services directly as a permitted incidental disclosure
- ✓ The correct doctrine is the incidental-disclosure exception, not the conduit exception
- ✓ A BAA IS required when the contract adds PHI handling: shredding, file handling, or ePHI device access
- ✓ No BAA does not mean no diligence: require a confidentiality agreement, training, and safeguards
What a BAA actually is
A Business Associate Agreement is a contract HIPAA requires between a covered entity (a healthcare provider) and a business associate, meaning any outside vendor that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. The key phrase is "on the covered entity's behalf." If a vendor's job does not involve using or disclosing PHI to do the work, that vendor generally is not a business associate. That distinction is the whole answer for cleaning companies.
It helps to separate two very different situations. In the first, a vendor is hired precisely because it will work with patient information: a billing company files claims, an EHR host stores charts, a transcription service turns dictation into records. Those vendors touch PHI as the point of the job, so they are business associates and need a BAA. In the second, a vendor is hired to perform a physical or operational task that has nothing to do with patient data, and any brush with PHI is accidental. Cleaning falls squarely in the second category, and HIPAA treats it accordingly.
The default rule: janitorial services are not business associates
HHS addresses this directly in HHS FAQ #243: "A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all." HHS specifically names janitorial services, explaining that any PHI a cleaner might see is exposure that "is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented," a permitted incidental disclosure, not a use or disclosure that triggers a BAA.
So routine cleaning does not require a BAA. That includes the everyday scope of nearly every janitorial contract in a medical or dental setting:
- Vacuuming, mopping, and floor care
- Trash and general waste removal (not regulated medical waste or shredding)
- Restroom sanitation and restocking
- Surface disinfection of exam rooms, waiting areas, and common spaces
- Dusting, glass, and fixture cleaning
In each of those tasks, the cleaner is not being asked to read, move, copy, or manage patient information. If a chart is left open on a counter and a cleaner glances at it while wiping the surface, that is the textbook "by-product" HHS describes. The activity that was contracted, cleaning, does not involve PHI, so no BAA attaches.
It's the "incidental disclosure" exception, not the "conduit exception"
You will sometimes see cleaning companies claim the "conduit exception" covers janitorial work. That is the wrong doctrine, and getting it right matters if anyone ever has to defend the arrangement. The conduit exception is narrow and applies only to services that transmit PHI with transient access: the postal service, couriers, and internet service providers that carry data from one point to another without meaningfully accessing it. A cleaning company does not transmit anything, so the conduit exception simply does not fit.
The correct basis is the incidental-disclosure provision described above. The difference is not academic. The conduit exception is famously limited, and vendors who lean on it in the wrong context tend to draw scrutiny. Cite incidental disclosure, not the conduit exception, and the analysis holds up.
When a cleaning company does need a BAA
The default flips the moment the scope of work includes handling PHI by assignment, not by accident. If any of the following are written into the contract or performed in practice, the cleaner is creating, receiving, maintaining, or transmitting PHI on the practice's behalf, and a BAA is required:
- Secure document shredding. Collecting, transporting, or destroying paper records containing PHI. BAA required.
- Records-room or file handling. Moving, boxing, or organizing files with patient information as a contracted duty. BAA required.
- Access to devices that store ePHI. Handling workstations, tablets, or media holding electronic PHI. BAA required.
The common thread is intent and control. Once the practice is relying on the cleaner to handle patient information as part of the service, the exposure is no longer incidental, it is the job. If none of those duties are in scope, you are back to the default: no BAA needed. And if a service is borderline, for example a cleaner who empties a shred bin that a separate shredding vendor later destroys, look at who actually handles and controls the PHI, and when in doubt, paper the relationship with a BAA rather than guess.
If you don't need a BAA, here's what to require instead
"No BAA required" does not mean "no diligence required." A practice is still responsible for reasonable safeguards over PHI, and the people walking through your space after hours are part of that picture. Require, at minimum:
- A signed confidentiality agreement covering anything a worker might see
- Documented HIPAA-awareness training for every assigned worker
- Practical safeguards: cleaning around charts and screens without reading, photographing, or repositioning them; locked-cabinet and after-hours access protocols; and background-checked, insured staff
A cleaner that already operates this way is the low-risk choice, and it is worth screening for during procurement rather than after an incident. A vendor that regularly serves medical and dental practices will typically run under a confidentiality agreement with HIPAA-awareness training, and execute a BAA in the specific cases above where one is genuinely required. When you evaluate vendors, ask how they train staff, how they control after-hours access, and whether they are prepared to sign a BAA if your scope ever includes PHI handling.
Dental practices: same rule
Cleaning a dental practice does not require a BAA on its own. The analysis is identical to a medical office: routine janitorial work is incidental to PHI, so no BAA attaches. The requirement only appears if the contract adds PHI-handling duties, such as shredding patient charts, boxing records for storage, or handling operatory computers that store electronic patient data. Dental offices tend to have more paper charts and more small devices in open operatories, so it is worth being explicit in the cleaning contract about what the cleaner does and does not touch.
If you do need one, generating a BAA takes minutes
If your cleaning arrangement crosses into the categories above, or you would simply rather have one on file for peace of mind, you do not need a $500 attorney draft. You can generate a HIPAA-compliant BAA with the BAA Generator template in minutes, every clause mapped to 45 CFR § 164.504(e) and the HHS model BAA. Fill in the parties, download a clean PDF and editable Word file, and keep the signed copy in your vendor records alongside the confidentiality agreement and training documentation.
Frequently asked questions
Does a medical office need a BAA with its cleaning company?
Usually no. Routine janitorial work is not a business-associate activity under HIPAA, because the cleaner does not use or disclose protected health information to do the job. A BAA is only required if the contract includes handling PHI directly, such as shredding records, moving patient files, or accessing devices that store electronic PHI.
Is a janitorial service a HIPAA business associate?
Generally not, per HHS FAQ #243. Any PHI a cleaner might see is treated as a permitted incidental disclosure, not a use or disclosure that triggers a business-associate relationship. A janitorial service only becomes a business associate if handling PHI is part of the contracted service.
Does the conduit exception apply to cleaning companies?
No. The conduit exception is narrow and applies only to transmission-only services with transient access to PHI, such as the postal service, couriers, and internet service providers. Cleaning companies fall under the incidental-disclosure provision instead, not the conduit exception.
When does a cleaning company need to sign a BAA?
When the scope of work includes secure shredding of records containing PHI, records-room or patient-file handling as a contracted duty, or access to workstations, tablets, or media that store electronic PHI. In those cases the cleaner creates, receives, maintains, or transmits PHI on the covered entity's behalf, and a BAA is required.
What should a medical practice require of a cleaner if no BAA is needed?
A signed confidentiality agreement, documented HIPAA-awareness training for every assigned worker, and practical safeguards such as cleaning around charts and screens without reading or repositioning them, locked-cabinet and after-hours access protocols, and background-checked, insured staff.
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview