Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Business Associates, BAAs & Vendor Management Under HIPAA

Learn what qualifies as a Business Associate, when a Business Associate Agreement (BAA) is required, and how to properly manage vendors under HIPAA.

Understanding Business Associates

Under HIPAA, organizations that handle Protected Health Information (PHI) fall into two categories:

  • Covered Entities

  • Business Associates

This article focuses on Business Associates and vendor oversight responsibilities.

What Is a Business Associate?

A Business Associate (BA) is a person or organization that:

  • Performs services for a Covered Entity

  • Involves the use, access, creation, maintenance, or transmission of PHI

Business Associates are not healthcare providers themselves, but they work on behalf of providers and have access to patient information as part of their services.

Common Examples of Business Associates

Business Associates may include:

  • Medical billing companies

  • IT service providers

  • EHR hosting vendors

  • Cloud storage providers

  • Compliance consultants

  • Attorneys reviewing patient records

  • Data analytics firms

  • Collection agencies

  • Document shredding companies

If a vendor can access PHI (even indirectly) they may qualify as a Business Associate.

Access vs. Use

A common misconception is that a vendor must actively use PHI to be considered a Business Associate.

Under HIPAA, the ability to access PHI is often enough to trigger Business Associate status.

If a vendor has system-level access or stores patient data, they likely qualify (even if they “never look at it.”)

When Is a Business Associate Agreement (BAA) Required?

A Business Associate Agreement (BAA) is required whenever:

  • A Covered Entity shares PHI with a Business Associate

  • A vendor creates, receives, maintains, or transmits PHI on behalf of the Covered Entity

The BAA must be executed before PHI is disclosed.

What Is a BAA?

A Business Associate Agreement is a written contract that:

  • Defines permitted uses of PHI

  • Requires appropriate safeguards

  • Establishes breach reporting requirements

  • Prohibits unauthorized disclosures

  • Requires downstream compliance by subcontractors

It ensures both parties understand their compliance responsibilities.

When Is a BAA Not Required?

A BAA is generally not required for vendors that:

  • Do not access PHI

  • Provide utilities (electricity, internet)

  • Deliver office supplies

  • Perform services with no data exposure

However, organizations should carefully evaluate access levels before determining that a BAA is unnecessary.

Vendor Management & HIPAA Compliance

Vendor oversight is a critical component of HIPAA compliance.

Outsourcing services does not outsource responsibility.

If a vendor causes a breach, the Covered Entity may still face investigation and penalties.

Key Elements of Effective Vendor Management

1. Identify All Business Associates

Maintain an updated list of vendors that:

  • Access PHI

  • Store PHI

  • Transmit PHI

  • Support systems containing PHI

Vendor classification is the first step in compliance.

2. Execute & Track BAAs

Ensure that:

  • BAAs are signed before PHI is shared

  • Agreements are centrally stored

  • Expiration dates are tracked

  • Updates are executed when services change

Failure to maintain signed BAAs is a common enforcement finding.

3. Evaluate Vendor Security Practices

Covered Entities should perform reasonable due diligence, such as confirming:

  • The vendor has conducted a Security Risk Analysis

  • Encryption is used where appropriate

  • Access controls are in place

  • Audit logs are maintained

  • Incident response procedures exist

Documentation of this review demonstrates reasonable safeguards.

4. Ongoing Monitoring

Vendor management is not a one-time event.

Best practices include:

  • Annual vendor review

  • Monitoring high-risk vendors

  • Reviewing incident reports

  • Updating agreements as relationships evolve

What Regulators Look For

During an OCR investigation, regulators may request:

  • A list of Business Associates

  • Copies of signed BAAs

  • Evidence of vendor oversight

  • Risk analysis documentation addressing third-party access

Failure to properly manage vendors is frequently cited in enforcement actions.

Common Compliance Mistakes

  • Sharing PHI before executing a BAA

  • Assuming a vendor is “HIPAA compliant” without documentation

  • Failing to track BAA expiration dates

  • Not reviewing vendor security practices

  • Not updating agreements when services change

Key Takeaways

  • A Business Associate is any vendor that handles PHI on behalf of a Covered Entity.

  • A BAA is required before PHI is shared.

  • Access alone can trigger Business Associate status.

  • Covered Entities remain responsible for vendor oversight.

  • Vendor management should be documented, structured, and ongoing.

Strong vendor oversight significantly reduces compliance risk.

Need help reviewing your vendor relationships?
Ensure your Business Associate inventory and agreements are current and properly documented.

Last reviewed: February 2026