When Is a Business Associate Agreement Required? (2026)

A Business Associate Agreement is one of the core compliance documents under HIPAA. It creates a legally binding framework between a covered entity and any outside party that will access protected health information. Without one, even routine vendor relationships can trigger federal enforcement action.

But not every vendor relationship requires a BAA. The line between "business associate" and "not a business associate" depends on what the vendor does with PHI, how much access the vendor has, and whether a specific regulatory exception applies. This guide breaks down the scenarios that trigger the requirement, the exceptions that remove it, and the real enforcement consequences of getting it wrong.

What Makes Someone a Business Associate Under HIPAA

The HIPAA Privacy Rule at 45 CFR 160.103 defines a business associate as any person or entity, other than a member of the covered entity's workforce, that performs functions or activities on behalf of the covered entity involving the use or disclosure of PHI.

HHS groups business associate activities into two categories. The first covers functions and activities: claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing. The second covers services: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services.

The key factor is PHI access. A vendor that never touches, sees, stores, or transmits PHI is not a business associate, regardless of the services provided. A vendor that does handle PHI in any of these capacities triggers the BAA requirement.

The Two-Part Test

Determining whether a BAA is needed comes down to two questions. First, is the vendor performing a function or service on behalf of the covered entity (or a business associate)? Second, does that function or service involve creating, receiving, maintaining, or transmitting PHI?

If both answers are yes, a BAA is required before any PHI changes hands. Under 45 CFR 164.502(e), a covered entity may not disclose PHI to a business associate without first obtaining satisfactory assurances, in the form of a written contract, that the business associate will appropriately safeguard the information.

Common Vendor Categories That Require a BAA

Several vendor types almost always qualify as business associates. Understanding these categories helps organizations identify BAA gaps before they become compliance problems.

Cloud Service Providers

According to HHS guidance on cloud computing, any cloud service provider (CSP) that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate. This applies even if the CSP does not actually view the data. The mere fact that a CSP stores ePHI, even in encrypted form, establishes the business associate relationship.

This means services like cloud-based EHR hosting, data backup platforms, email platforms that process PHI, and cloud storage solutions all require a BAA.

Medical Billing Companies

Third-party billing services process claims that contain patient names, diagnoses, treatment codes, and insurance information. These vendors routinely create, receive, and transmit PHI as a core function of their work. A BAA is always required.

IT Service Providers and Software Vendors

IT companies that manage networks, maintain servers, or provide technical support for systems containing ePHI are business associates when their work gives them access to PHI. According to HHS FAQ 256, a software vendor is a business associate if it needs access to PHI to perform its services, such as software updates or maintenance on systems containing PHI.

However, a vendor that merely sells software to a covered entity without gaining access to PHI is not a business associate. The distinction turns on whether the vendor can access the data.

Document Storage and Shredding Services

Companies that store medical records or shred documents containing PHI are business associates. HHS has confirmed that a covered entity may hire a business associate to dispose of PHI, but the covered entity needs a BAA requiring the business associate to appropriately safeguard the PHI through the disposal process.

Answering Services and Call Centers

Medical answering services that take calls from patients and record messages containing health information are business associates. They receive PHI (patient names, symptoms, callback numbers) as a core part of their service.

Legal, Accounting, and Consulting Firms

Attorneys, CPAs, and consultants become business associates when their work for a covered entity involves access to PHI. An attorney reviewing medical records for a malpractice defense or a CPA auditing billing records that include patient information both qualify. HHS guidance confirms that a lawyer who is a business associate must also ensure that any agents or subcontractors receiving PHI agree to the same privacy restrictions.

When a BAA Is NOT Required

Not every relationship involving a healthcare organization triggers a BAA. HIPAA carves out several important exceptions.

The Conduit Exception

The conduit exception exempts entities whose only role is transporting PHI without accessing it in any meaningful way. HHS explains that the U.S. Postal Service, United Parcel Service, and similar delivery services are not business associates because they merely transport sealed packages.

The same logic extends to electronic equivalents, but the exception is narrow. According to HHS FAQ 2077, the conduit exception applies only to transmission-only services, including any temporary storage incident to the transmission. The moment a service stores ePHI for any purpose beyond what is needed for the transmission itself, the conduit exception no longer applies, and a BAA is required.

Internet service providers (ISPs) that merely transmit data packets generally qualify as conduits. A cloud service that stores ePHI on its servers does not.

Treatment Disclosures Between Providers

When one healthcare provider sends PHI to another healthcare provider for treatment purposes, no BAA is needed. HHS has stated that the business associate requirements do not apply to disclosures by a covered entity to a healthcare provider for treatment. A hospital referring a patient to a specialist and sharing the patient's records does so under the treatment exception, not a business associate relationship.

Employees and Workforce Members

Members of a covered entity's workforce are not business associates. The term "workforce" under HIPAA includes employees, volunteers, trainees, and other persons whose conduct the covered entity directly controls, whether or not they are paid. These individuals are governed by the covered entity's own HIPAA policies and training, not by a BAA.

However, temporary staffing agencies and independent contractors who are not under the covered entity's direct control typically are business associates. HHS has noted one exception: when an employee of a contractor (such as an IT vendor) has a primary duty station on-site at the covered entity, the covered entity may choose to treat that individual as a workforce member rather than a business associate.

Incidental Contact With PHI

A business associate contract is not required with persons or organizations whose functions do not involve the use or disclosure of PHI, and where any contact with PHI would be incidental. HHS FAQ 243 uses the example of janitorial services. A cleaning crew that empties trash cans in a medical office may occasionally see discarded documents, but their job does not involve handling PHI. That incidental exposure does not make them a business associate.

Health Plans and Network Providers

A provider participating in a health plan's network is not automatically a business associate of that plan. If the only relationship between the health plan and the provider is the submission of claims for payment, the provider is not a business associate of the plan.

Subcontractor BAA Requirements Under HITECH

Before the HITECH Act and the 2013 Omnibus Rule, only covered entities had direct obligations under HIPAA. Business associates were bound only by their contracts, not by the regulation itself.

The Omnibus Rule changed this in two major ways. First, it made business associates directly liable for HIPAA violations. Second, it extended the BAA requirement down the chain to subcontractors.

Under the current rules, a business associate that hires a subcontractor to create, receive, maintain, or transmit PHI on its behalf must execute a BAA with that subcontractor. The subcontractor's BAA must contain the same elements required in the covered entity's BAA with the business associate, as specified in 45 CFR 164.504(e).

This creates a chain of accountability. A hospital signs a BAA with its EHR vendor. That EHR vendor signs a BAA with its cloud hosting provider. The cloud hosting provider signs a BAA with its data backup subcontractor. At every level where PHI is handled, a BAA must exist.

A business associate that fails to obtain a BAA from a subcontractor, or fails to address a known material breach of that subcontractor's BAA, faces direct enforcement action from OCR.

What a BAA Must Include

A BAA is not a generic confidentiality agreement. Under 45 CFR 164.504(e), it must contain specific provisions that HHS has outlined in its model BAA.

Required elements include provisions that establish the permitted uses and disclosures of PHI, require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure, require the business associate to report any security incidents or breaches, require that subcontractors handling PHI agree to the same restrictions, require the business associate to make PHI available to individuals exercising their access rights, and require the return or destruction of PHI at the end of the relationship.

The agreement must also authorize termination if the covered entity determines that the business associate has violated a material term of the contract.

OCR Enforcement: Real Penalties for Missing BAAs

The HHS Office for Civil Rights (OCR) has made clear through enforcement actions that operating without a BAA is a standalone HIPAA violation, regardless of whether a breach actually occurs.

Raleigh Orthopaedic Clinic: $750,000

In 2016, Raleigh Orthopaedic Clinic in North Carolina agreed to pay $750,000 after turning over the x-ray films and related PHI of 17,300 patients to a company that promised to transfer images to electronic media in exchange for harvesting the silver content from the films. The agreement was made over the phone with no BAA in place. OCR's corrective action plan required the clinic to designate a responsible individual for ensuring BAAs are obtained before any PHI disclosure.

Advanced Care Hospitalists: $500,000

Advanced Care Hospitalists (ACH), a Florida contractor physician group, paid $500,000 in 2018 after OCR discovered that ACH had shared PHI with a medical billing vendor without ever executing a BAA. Patient information ended up viewable on the billing service's website. OCR's investigation revealed that ACH had no policy requiring BAAs with business associates until 2014.

Center for Children's Digestive Health: $31,000

The Center for Children's Digestive Health (CCDH), a small pediatric practice in Illinois, settled for $31,000 in 2017 after OCR found that CCDH had been disclosing PHI to a records storage company since 2003 without a signed BAA. Neither party could produce one. Even for a small practice, the absence of a BAA triggered enforcement action.

The Pattern

These cases share a common thread. OCR treats a missing BAA as a serious compliance failure, separate from any underlying data breach. The settlements consistently include both a monetary payment and a corrective action plan that requires the organization to audit all vendor relationships, execute BAAs where needed, and designate a person responsible for ongoing BAA compliance.

How to Determine If a Specific Vendor Needs a BAA

Organizations that work with many vendors can use a straightforward analysis to determine which relationships require a BAA.

Start by listing every third party that provides services to the organization. For each vendor, ask whether the vendor will access, create, receive, store, or transmit PHI in any form (paper, electronic, or oral) as part of the service. If the answer is yes, ask whether any exception applies: the conduit exception, the treatment disclosure exception, or the workforce member classification.

If no exception applies and the vendor will handle PHI, a BAA is required. Organizations should conduct this analysis before the vendor relationship begins, not after PHI has already been shared. As the Raleigh Orthopaedic and ACH settlements demonstrate, retroactive compliance does not prevent penalties.

For organizations evaluating HIPAA compliance platforms to manage their vendor programs, many offer built-in BAA tracking features that flag gaps in coverage.

HIPAA Compliance and BAA Best Practices

While this article provides legal information about BAA requirements, every organization's vendor landscape is different. Healthcare providers, health plans, and clearinghouses should consult an attorney for advice specific to their situation, particularly when vendor relationships involve complex data flows or cross multiple jurisdictions.

For more background on the broader HIPAA framework, see our HIPAA overview. To understand what a BAA contains and how it works in practice, see What Is a Business Associate Agreement.