When Do You Need a HIPAA BAA?

5 min read · HIPAA Compliance

One of the most common compliance questions in healthcare is also one of the most nuanced: when exactly does a business relationship require a HIPAA Business Associate Agreement? The answer depends on whether PHI is involved — and how.

The Trigger: Access to Protected Health Information

A BAA is required whenever a covered entity shares protected health information (PHI) with an outside party — called a business associate — that performs a function or service on its behalf. The key phrase is "on its behalf." Incidental access alone doesn't necessarily create a business associate relationship.

Under 45 CFR § 160.103, a business associate is a person or entity that:

• Creates, receives, maintains, or transmits PHI for a covered entity's functions
• Provides services involving the disclosure of PHI (legal, financial, administrative, etc.)
• Offers a personal health record to individuals on behalf of a covered entity

Relationships That Require a BAA

If any of the following describe your vendor or contractor, you need a BAA before sharing PHI with them:

• EHR and practice management software vendors — they store and process patient records
• Medical billing and revenue cycle companies — they receive patient diagnoses and insurance information
• Cloud storage and backup providers — if PHI is stored in the cloud (e.g., AWS, Google Cloud, Box)
• Telehealth platforms — they transmit clinical encounters containing PHI
• IT support and managed service providers (MSPs) — if they have access to systems containing PHI
• Medical transcription services
• Legal and accounting firms — if they review documents containing PHI
• Shredding and document destruction companies — for physical records containing PHI
• Answering services — if they take messages that include patient information

Relationships That Do NOT Require a BAA

Not every outside party requires a BAA. The following typically do not:

• Covered entity to covered entity — for treatment, payment, or healthcare operations purposes (no BAA required, though many organizations execute them anyway as best practice)
• Janitorial or cleaning staff — incidental, non-purposeful access to physical areas containing PHI does not create a business associate relationship
• Contractors who never access PHI — a website developer who only works on a public marketing site, for example
• Conduit providers — internet service providers and postal services that transmit information without accessing it are excluded
• Employment functions — HR vendors managing employee (not patient) data

Subcontractors: The Chain Extends

Under the HITECH Act amendments to HIPAA, the BAA requirement extends down the supply chain. If your business associate shares PHI with a subcontractor, that subcontractor must also sign a BAA with the business associate. This means that cloud subprocessors, offshore development teams, and third-party analytics platforms used by your EHR vendor may each require their own BAAs.

When to Get the BAA Signed

The BAA must be in place before PHI is shared — not after. Many organizations make the mistake of executing BAAs retroactively after a vendor relationship has already begun. This is a compliance gap that OCR auditors specifically look for. Make BAA execution part of your vendor onboarding checklist.

For details on what must actually be in the agreement, read our guide on HIPAA BAA requirements. Or if you're wondering whether a BAA and an NDA are interchangeable, see BAA vs. NDA: What's the Difference?