BAA Vendor List: Which Vendors a Small Practice Needs to Sign With
5 min read · Last reviewed May 22, 2026
When a BAA is actually required
A Business Associate Agreement is required whenever a covered entity engages a non-workforce person or organization to perform a function or activity on behalf of the covered entity that involves access to PHI. The defining text is at 45 CFR 160.103 (definition of Business Associate) and the BAA contract requirements live at 164.504(e)).
The HHS Business Associate Contracts sample provisions page is the model the agency itself publishes. Use it as a comparison baseline when reviewing a vendor's contract.
When a BAA is not required
Two situations come up often:
- Conduits (telephone companies, internet service providers, postal services) that transmit but do not regularly access PHI. OCR's BA FAQ sets the narrow scope of the conduit exception.
- Workforce members — employees, volunteers, trainees — covered under 164.103. They are governed by training and sanctions, not a BAA.
If a vendor accesses, stores, transmits, or processes PHI as part of doing work for the practice, assume a BAA is required and rebut the assumption only with a clear citation.
Vendor categories where small practices typically need a BAA
The list below is a working baseline. Every practice's stack is different; treat this as a checklist, not a closed set.
- Electronic Health Record vendor — including the EHR's cloud hosting, modules, and add-ons.
- Practice management software if separate from the EHR.
- Clearinghouse for eligibility, claims, ERA, and remits.
- Revenue cycle management / billing service / coding contractor if performed by a non-employee.
- Patient communication platforms — appointment reminder text/voice, patient portal SaaS, recall outreach.
- Telehealth platform.
- E-prescribing infrastructure (Surescripts is the network; EHR vendor BAA usually covers it).
- Lab and imaging interfaces outside of the EHR (Quest, LabCorp, Cosmos, regional hospital interface).
- Specialty registries that pull patient-level data.
- MIPS / quality reporting submission services.
- Cloud storage, backup, and disaster recovery services that hold ePHI.
- Email and productivity vendor if mailboxes carry PHI (Google Workspace BAA, Microsoft 365 BAA — both require turning on the BAA explicitly per the vendor's instructions).
- Document scanning and storage vendors.
- Shredding service for paper PHI (most vendors offer a BAA even though paper is not ePHI, since the rule covers all PHI through the Privacy Rule).
- Transcription, AI scribe, and ambient documentation vendors.
- Marketing and patient acquisition tools that touch any PHI element.
- Web hosting and analytics if PHI passes through (OCR's December 2022 guidance on online tracking is the touchstone; a 2024 federal court vacated parts but the BAA position remains where third-party trackers touch PHI).
- Patient survey, review, and reputation management tools that send identified survey invitations.
- Bookkeeping, accounting, or back-office services if any deidentified-claim data still contains PHI.
- IT support, MSP, and managed firewall/IDS vendors that have access to systems holding ePHI.
- Hardware leasing or copier service vendors if devices retain images of PHI.
- Specialty cloud platforms: cardiac monitoring vendors, sleep study vendors, dental imaging clouds, RPM and RTM platforms.
- Pharmacy benefit communications tools.
- Population health / care management platforms.
- Coding and audit tools that ingest charts.
Subcontractor BAAs
Under the 2013 Omnibus rule, business associates must execute BAAs with their own subcontractors that create, receive, maintain, or transmit PHI on their behalf. The chain extends as far as the data flows. As a practice, you do not sign the subcontractor BAA, but you are entitled to know your direct business associate has done so. OCR's BA guidance confirms the obligation flows through.
Common gaps OCR finds
OCR's published Resolution Agreements (see the Enforcement Highlights page) repeatedly note:
- No BAA on file for a vendor that obviously handled ePHI
- A BAA signed years ago, never re-papered after the 2013 Omnibus rule
- A BAA that omits the required terms in 164.504(e)(2)(2))
- A BAA with a vendor's predecessor entity after an acquisition
A defensible BAA log addresses all of those by listing each active vendor, the BAA version and signature date, the responsible party, and a re-paper date when the underlying contract is renewed.
The Change Healthcare lesson
The February 2024 ransomware incident at Change Healthcare put a magnifying glass on subcontractor risk. UnitedHealth Group's public disclosures and HHS's resource page describe the scope. Small practices found out that the clearinghouse their EHR routed through was a single point of failure they had not separately inventoried. Lesson: the BAA log should match the data flow diagram. If a vendor sits on the data path, it needs to be in the inventory and the BAA log.
What a defensible BAA log contains
- Vendor legal name and DBA
- Vendor category (EHR, clearinghouse, MSP, etc.)
- Data flow summary (what ePHI flows, in which direction)
- Current contract reference
- BAA version, effective date, expiration
- Document storage location
- Owner inside the practice
- Re-paper / re-review date
- Status field (active, terminated, in negotiation)
Restraint about claims
No vendor's BAA, on its own, makes a practice compliant. The Security Rule is a process; the BAA is one supporting document inside the process. A practice that maintains a current BAA log and ties it back to its data flow inventory is doing the work the rule asks for.
How D3rx fits
D3rx SRA Binder Studio includes a vendor and BAA inventory inside the binder, prompts for the data flow per vendor, and surfaces the underlying citation each step of the way. It is a point-in-time documentation aid; the practice remains responsible for actually executing and maintaining each BAA.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
- 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- Business Associate Contracts sample provisionshttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- BA FAQhttps://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html
- 164.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.103
- online trackinghttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
- BA guidancehttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
- Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- resource pagehttps://www.hhs.gov/about/news/2024/03/05/letter-health-care-leaders-cybersecurity.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Practice Management and EHR Vendors: Which Offer a BAA
5 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readTechnical SafeguardsHIPAA Encryption Requirements for ePHI
5 min readAudits and EnforcementChange Healthcare Ransomware: What Small Practices Took Away
6 min readRelated across the archive
- SRAPractice Management and EHR Vendors: Which Offer a BAAHow a small practice identifies whether its practice management and EHR vendors offer a Business Associate Agreement, what to look for, and how the BAA fits into the broader vendor inventory required by the Security Rule.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceBusiness Associate Agreement Template (2026) + Counterparty TrackerA 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- RegulationHIPAA Business Associate Agreements (45 CFR 164.504(e))Required contract elements for any business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
- ComplianceFlorida Healthcare Compliance: FIPA Breach Notification + State SpecificsFlorida Information Protection Act (F.S. § 501.171) vs HIPAA: 30-day breach window, AG notice at 500 residents, $500k penalty cap, F.S. § 456.057 records rules.