Business Associate Agreements: What Every Practice Must Know in 2026

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity (your practice) and any vendor, contractor, or third party that creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf. The rule is blunt: no signed BAA means a HIPAA violation — even if no breach ever occurs. This guide explains who needs a BAA, what it must contain, and how to keep every agreement audit-ready.

Who Needs a BAA?

Any entity that handles PHI while providing services to your practice is a "business associate" and requires a BAA. Per HHS guidance on business associates, this includes, but is not limited to:

• Electronic Health Record (EHR) vendors
• Medical billing and revenue cycle management companies
• Cloud storage providers that store ePHI
• Email encryption and secure messaging services
• Transcription services
• IT support companies with access to your systems
• Answering services that handle patient calls
• Shredding companies that destroy paper records
• Attorneys and accountants who review patient records

What Must a BAA Include?

Per 45 CFR § 164.504(e), a valid BAA must establish permitted uses and disclosures of PHI, require appropriate safeguards, and obligate the business associate to report breaches. HHS even publishes sample BAA provisions you can use as a baseline. Specifically, a compliant agreement must:

• Describe the permitted and required uses of PHI
• Prohibit uses not permitted by the agreement or required by law
• Require appropriate safeguards to protect PHI
• Require reporting of breaches and security incidents
• Require the business associate to comply with the HIPAA Security Rule
• Authorize termination if violations are discovered
• Require return or destruction of PHI upon termination

The Most Common BAA Mistakes

• Using an unsigned template. A BAA is not valid until both parties sign it. Many practices download a template but never execute it.
• Outdated agreements. BAAs must reflect current HIPAA requirements. Agreements signed before the 2013 Omnibus Rule update may be non-compliant.
• Missing subcontractor BAAs. Your business associate must also have BAAs with their own subcontractors who touch your PHI.
• No tracking system. Knowing you have a BAA is not enough — you must know when it expires, when it was last reviewed, and whether it covers all current services.

A Real-World Example

In 2023, a dental practice in Texas received a $40,000 OCR settlement after an investigation revealed it had no BAA with its billing company — a relationship that had existed for nine years. The billing company had access to PHI for thousands of patients throughout that period. The violation was not a breach or a hack. It was simply a missing document.

Frequently Asked Questions

Do I need a BAA with my cloud provider?

Yes, if the provider stores, processes, or transmits ePHI — even if the data is encrypted and the vendor never views it. Major cloud platforms offer HIPAA BAAs on request.

Is a BAA required if no breach ever happens?

Yes. The absence of a signed BAA is itself a HIPAA violation, independent of whether any PHI is ever exposed.

How long must I keep a signed BAA?

HIPAA requires documentation to be retained for at least six years from the date of creation or the date it was last in effect, whichever is later.

Managing BAAs with Protect

Protect's compliance platform includes a BAA tracking and management module that maintains a complete inventory of all your business associate relationships, stores signed agreements, tracks renewal dates, and alerts you when agreements need to be updated. Explore the platform or contact us to learn more.