Business Associate Agreements (BAAs): when you need one and what to include

Vendors are one of the most common audit weak points for small clinics.

If a vendor touches electronic PHI (ePHI) on your behalf—email providers, cloud storage, EHR vendors, billing services, IT/MSPs—you need documented control over that relationship.

This is where the Business Associate Agreement (BAA) matters.

When do you need a BAA?

In practical terms, you should assume you need a BAA if the vendor:

• stores ePHI
• transmits ePHI
• can access ePHI (including support access)
• processes ePHI in any form as part of a service

Common examples:

• EHR platform
• patient portal
• email and calendar provider (when used for patient communications)
• cloud storage used for patient documents
• managed IT provider with admin access to systems
• billing/coding services

What should a BAA contain (high-signal checklist)

At minimum, keep BAAs that clearly define:

• permitted and required uses/disclosures of ePHI
• safeguards the vendor must maintain
• incident/breach reporting obligations and timelines
• subcontractor requirements (flow-down BAAs)
• access controls and minimum necessary expectations
• termination and data return/destruction expectations

How to manage vendors defensibly

Clinic owners should treat BAAs as part of a vendor control system:

1. Maintain a vendor inventory of all systems that touch ePHI.
2. Link a BAA to each vendor (executed copy).
3. Collect evidence: security whitepapers, SOC2 reports (if available), MFA enforcement, encryption, logging, retention.
4. Track access: who at the vendor can access what, and under what process.
5. Review annually or on major changes.

Common mistakes OCR flags

• no executed BAA on file
• BAAs scattered in email or shared drives
• “we trust the vendor” without evidence
• unclear incident reporting responsibilities
• vendors with broad admin access and no documented access controls

BAAs are not paperwork. They are the contractual foundation of vendor compliance.