Vendors and BAAs

BAA Vendor List: Which Vendors a Small Practice Needs to Sign With

5 min read · Last reviewed May 22, 2026

When a BAA is actually required

A Business Associate Agreement is required whenever a covered entity engages a non-workforce person or organization to perform a function or activity on behalf of the covered entity that involves access to PHI. The defining text is at 45 CFR 160.103 (definition of Business Associate) and the BAA contract requirements live at 164.504(e)).

The HHS Business Associate Contracts sample provisions page is the model the agency itself publishes. Use it as a comparison baseline when reviewing a vendor's contract.

When a BAA is not required

Two situations come up often:

  • Conduits (telephone companies, internet service providers, postal services) that transmit but do not regularly access PHI. OCR's BA FAQ sets the narrow scope of the conduit exception.
  • Workforce members — employees, volunteers, trainees — covered under 164.103. They are governed by training and sanctions, not a BAA.

If a vendor accesses, stores, transmits, or processes PHI as part of doing work for the practice, assume a BAA is required and rebut the assumption only with a clear citation.

Vendor categories where small practices typically need a BAA

The list below is a working baseline. Every practice's stack is different; treat this as a checklist, not a closed set.

  • Electronic Health Record vendor — including the EHR's cloud hosting, modules, and add-ons.
  • Practice management software if separate from the EHR.
  • Clearinghouse for eligibility, claims, ERA, and remits.
  • Revenue cycle management / billing service / coding contractor if performed by a non-employee.
  • Patient communication platforms — appointment reminder text/voice, patient portal SaaS, recall outreach.
  • Telehealth platform.
  • E-prescribing infrastructure (Surescripts is the network; EHR vendor BAA usually covers it).
  • Lab and imaging interfaces outside of the EHR (Quest, LabCorp, Cosmos, regional hospital interface).
  • Specialty registries that pull patient-level data.
  • MIPS / quality reporting submission services.
  • Cloud storage, backup, and disaster recovery services that hold ePHI.
  • Email and productivity vendor if mailboxes carry PHI (Google Workspace BAA, Microsoft 365 BAA — both require turning on the BAA explicitly per the vendor's instructions).
  • Document scanning and storage vendors.
  • Shredding service for paper PHI (most vendors offer a BAA even though paper is not ePHI, since the rule covers all PHI through the Privacy Rule).
  • Transcription, AI scribe, and ambient documentation vendors.
  • Marketing and patient acquisition tools that touch any PHI element.
  • Web hosting and analytics if PHI passes through (OCR's December 2022 guidance on online tracking is the touchstone; a 2024 federal court vacated parts but the BAA position remains where third-party trackers touch PHI).
  • Patient survey, review, and reputation management tools that send identified survey invitations.
  • Bookkeeping, accounting, or back-office services if any deidentified-claim data still contains PHI.
  • IT support, MSP, and managed firewall/IDS vendors that have access to systems holding ePHI.
  • Hardware leasing or copier service vendors if devices retain images of PHI.
  • Specialty cloud platforms: cardiac monitoring vendors, sleep study vendors, dental imaging clouds, RPM and RTM platforms.
  • Pharmacy benefit communications tools.
  • Population health / care management platforms.
  • Coding and audit tools that ingest charts.

Subcontractor BAAs

Under the 2013 Omnibus rule, business associates must execute BAAs with their own subcontractors that create, receive, maintain, or transmit PHI on their behalf. The chain extends as far as the data flows. As a practice, you do not sign the subcontractor BAA, but you are entitled to know your direct business associate has done so. OCR's BA guidance confirms the obligation flows through.

Common gaps OCR finds

OCR's published Resolution Agreements (see the Enforcement Highlights page) repeatedly note:

  • No BAA on file for a vendor that obviously handled ePHI
  • A BAA signed years ago, never re-papered after the 2013 Omnibus rule
  • A BAA that omits the required terms in 164.504(e)(2)(2))
  • A BAA with a vendor's predecessor entity after an acquisition

A defensible BAA log addresses all of those by listing each active vendor, the BAA version and signature date, the responsible party, and a re-paper date when the underlying contract is renewed.

The Change Healthcare lesson

The February 2024 ransomware incident at Change Healthcare put a magnifying glass on subcontractor risk. UnitedHealth Group's public disclosures and HHS's resource page describe the scope. Small practices found out that the clearinghouse their EHR routed through was a single point of failure they had not separately inventoried. Lesson: the BAA log should match the data flow diagram. If a vendor sits on the data path, it needs to be in the inventory and the BAA log.

What a defensible BAA log contains

  • Vendor legal name and DBA
  • Vendor category (EHR, clearinghouse, MSP, etc.)
  • Data flow summary (what ePHI flows, in which direction)
  • Current contract reference
  • BAA version, effective date, expiration
  • Document storage location
  • Owner inside the practice
  • Re-paper / re-review date
  • Status field (active, terminated, in negotiation)

Restraint about claims

No vendor's BAA, on its own, makes a practice compliant. The Security Rule is a process; the BAA is one supporting document inside the process. A practice that maintains a current BAA log and ties it back to its data flow inventory is doing the work the rule asks for.

How D3rx fits

D3rx SRA Binder Studio includes a vendor and BAA inventory inside the binder, prompts for the data flow per vendor, and surfaces the underlying citation each step of the way. It is a point-in-time documentation aid; the practice remains responsible for actually executing and maintaining each BAA.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
  2. 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
  3. Business Associate Contracts sample provisionshttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  4. BA FAQhttps://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html
  5. 164.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.103
  6. online trackinghttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
  7. BA guidancehttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
  8. Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  9. resource pagehttps://www.hhs.gov/about/news/2024/03/05/letter-health-care-leaders-cybersecurity.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides