Do I need a BAA with my email provider?

If the email service stores, routes, or processes PHI on your behalf, yes. Free consumer accounts (personal Gmail, consumer Outlook.com, consumer iCloud) generally do not offer a BAA, so they should not be used for clinical email. Business and enterprise tiers of major providers do offer a BAA, but you have to actively request it, accept it, and keep the signed copy. The default clickthrough Terms of Service is not a BAA.

Is a vendor's Terms of Service the same as a BAA?

No. A BAA is a separate written contract that contains the elements at 45 CFR 164.504(e)(2). Standard Terms of Service almost never include those clauses (use limits, breach reporting within 60 days under 164.410, subcontractor flow-down, return or destruction of PHI on termination, HHS access). If the vendor will not provide a written BAA that contains these elements, the arrangement does not meet the satisfactory assurances requirement at 164.502(e).

What if a vendor refuses to sign a BAA?

Then either the vendor is not allowed to access, store, transmit, or maintain PHI on your behalf, or you change vendors. There is no workaround. If the vendor genuinely qualifies as a conduit (a transmission-only role, narrowly defined in the 2013 Omnibus preamble at 78 FR 5571), document why you reached that conclusion. For almost all cloud, EHR, billing, IT MSP, and SaaS vendors, the conduit exception does not apply and a BAA is required.

HIPAA Compliance

Business Associate Agreement Checklist for Small Practices

6 min read · Updated April 25, 2026

If your practice is on the small side (one to ten providers), the Business Associate Agreement (BAA) is one of the most ignored corners of HIPAA, and one of the easiest for the Office for Civil Rights to ask about. The good news: the requirements are concrete. You can work through them in an afternoon, fix the gaps, and put the evidence in one place.

This guide is a working checklist. It walks through who counts as a Business Associate, when a BAA is required, what clauses the BAA must contain, and how to track all of it without losing your weekend.

What a Business Associate actually is

The definition lives at 45 CFR 160.103. A Business Associate (BA) is a person or entity, other than a member of the workforce, that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity to perform a function or activity regulated by HIPAA.

In a typical small practice, that usually includes:

Your EHR vendor
Your billing service or RCM partner
Your clearinghouse
Your IT managed service provider (MSP) or IT consultant with admin access
Cloud storage or backup services that hold PHI
Transcription services
Document shredding services that pick up PHI
Outside attorneys or accountants who review PHI in the course of their work
Answering services that take patient information
Any third-party analytics, scribe, or AI tool that touches the chart

The test is functional, not contractual. If they touch PHI on your behalf, they are a Business Associate, and the relationship needs a written agreement.

When a BAA is required

Two regulations control this. 45 CFR 164.502(e) says a covered entity may disclose PHI to a Business Associate only if it obtains satisfactory assurances that the BA will appropriately safeguard the information. 45 CFR 164.504(e) says those satisfactory assurances must be documented in a written contract or other written arrangement.

In other words: no signed BAA, no lawful disclosure of PHI to that vendor.

Required clauses: what every BAA must contain

The required elements come from 45 CFR 164.504(e)(2). In plain language, the BAA must:

Limit uses and disclosures. The BA may only use or disclose PHI as the contract permits or as required by law.
Require appropriate safeguards. For electronic PHI, the BA must comply with the Security Rule (Subpart C of Part 164) directly. This is the core technical and administrative safeguards obligation.
Require reporting of unauthorized uses, disclosures, and breaches. This includes Security Incident reporting and breach notification timing.
Flow down to subcontractors. Per 164.504(e)(1)(iii) and 164.314(a)(2), any subcontractor of the BA that creates, receives, maintains, or transmits PHI must agree to the same restrictions through its own BAA.
Support individual rights. Specifically: access (164.524), amendment (164.526), and accounting of disclosures (164.528) when the BA holds PHI in a designated record set.
Make books and records available to HHS for purposes of determining the covered entity's compliance.
Return or destroy PHI on termination, if feasible. If not feasible, the protections continue and further uses or disclosures are limited to the reasons that make return or destruction infeasible.
Allow termination for material breach. The covered entity must be able to terminate the contract if the BA materially violates it.

If a clause is missing, the BAA does not meet the regulatory bar, even if the vendor calls it a BAA.

The Security Rule mirror and subcontractor reality

The Security Rule has its own organizational requirements at 45 CFR 164.314(a), which mirror the privacy-side BAA contents for ePHI. Since the HITECH Act and the 2013 Omnibus Rule, subcontractors of Business Associates are themselves Business Associates and must have BAAs in place with the upstream BA. You do not sign a BAA directly with the subcontractor, but your BA must, and your BAA should require it.

Breach notification by the BA

Under 45 CFR 164.410, a Business Associate must notify the covered entity of a breach of unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery. The BAA should restate this and ideally tighten the timeline (many practices ask for notice within a few business days, so the practice has time to meet its own 60-day individual notification clock under 164.404).

The conduit exception (it is narrower than vendors claim)

Some vendors will tell you they are a "conduit" and therefore do not need a BAA. The conduit exception comes from the preamble to the 2013 Omnibus Rule, 78 FR 5571. HHS made it explicit: the exception is narrow. It covers transmission-only services such as the postal service, delivery couriers, and internet service providers acting purely as a pipe.

It does not cover:

Cloud storage providers (even if the vendor "cannot read" the data)
EHRs, practice management systems, billing platforms
IT MSPs with administrative access to systems holding PHI
Email providers that store messages
SaaS vendors that process or hold PHI for any meaningful period

Per HHS, persistent access to PHI, even encrypted PHI, generally takes a vendor out of conduit status. If a vendor invokes the conduit exception to avoid signing a BAA, the burden is on you to document why you accepted that, and the analysis should be honest.

Clickthrough Terms of Service do not satisfy the BAA requirement. Free or consumer-tier Gmail, Skype, Dropbox, iCloud, and similar services typically do not offer a BAA at all. Using them for PHI is not a paperwork problem, it is a disclosure without satisfactory assurances under 164.502(e).

Use the HHS sample, then extend it

HHS publishes Sample Business Associate Agreement Provisions on hhs.gov. The sample tracks the 164.504(e)(2) required elements and is a reasonable starting point if a vendor sends you something thin or missing clauses. You can extend (tighter breach notice, audit rights, indemnification, insurance) but you cannot omit the required clauses and stay within the rule.

Vendor inventory: the part most practices skip

The single biggest gap in small-practice HIPAA programs is not a missing clause, it is not knowing which vendors touch PHI. Build a simple inventory and keep it current. For every vendor with PHI access, capture:

Vendor name and primary contact
What PHI they touch and how (storage, transmission, processing, viewing)
BAA on file: yes or no
Executed date and effective date
Version: was the BAA executed or updated after the 2013 Omnibus Rule? Pre-Omnibus BAAs are not sufficient.
Renewal or expiration date, if any
Where the signed copy is stored (and who can produce it on request)
Subcontractor disclosure: does the vendor list its own subcontractors that handle PHI?

Review the inventory at least annually, and any time you onboard a new vendor or change platforms.

What is coming: the 2025 Security Rule NPRM

HHS published a Notice of Proposed Rulemaking for the Security Rule in late 2024 (commonly cited as the 2025 Security Rule NPRM). One proposed change would require covered entities to obtain annual written verification from each Business Associate that the BA has deployed the required technical safeguards, supported by an analysis from a subject matter expert. This is proposed, not adopted, and the requirements may shift before anything takes effect. It is worth tracking because it would meaningfully expand the documentation expected from BAs.

Where D3rx fits

D3rx maintains a Compliance Binder for each practice. The binder includes a vendor and BAA tracker so you can see, in one screen, every vendor that touches PHI, whether a BAA is on file, when it was signed, and where the executed copy lives. When a payer, partner, or OCR investigator asks for evidence, you can produce it without an email scavenger hunt. The Compliance Binder is one of the cleanest ways to keep this current without hiring a compliance consultant.

A short working checklist

List every vendor and partner that creates, receives, maintains, or transmits PHI on your behalf.
For each, confirm a written, post-Omnibus BAA is on file.
Confirm the BAA contains the eight elements at 164.504(e)(2).
Confirm breach notification language matches or beats the 60-day cap at 164.410.
Confirm subcontractor flow-down language is present.
Reject conduit-exception claims for vendors that store, process, or have persistent access to PHI.
Replace any consumer-tier services being used for PHI with versions that offer a BAA, or stop using them for PHI.
Store signed copies in one location and assign one person responsible for the inventory.
Re-review annually and on any vendor change.

Disclaimer: D3rx organizes documentation and produces point-in-time assessment materials. It does not certify compliance, provide legal advice, or guarantee an OCR audit outcome. This guide is informational and is not legal advice. For specific situations, consult qualified healthcare counsel.

Have a billing question?

Ask D3 →

Related Guides