Vendors and BAAs

Practice Management and EHR Vendors: Which Offer a BAA

5 min read · Last reviewed May 22, 2026

The vendor-by-vendor question is universally asked

Small practices reliably ask: does my EHR offer a BAA? In practice the answer is yes for nearly every modern, ONC-certified EHR sold to HIPAA-covered entities. Vendors that decline a BAA effectively decline to serve covered entities because their customers cannot use the product compliantly.

The Business Associate definition at 45 CFR 160.103 makes EHR vendors business associates when they create, receive, maintain, or transmit ePHI on behalf of the covered entity. The contract requirements live at 164.504(e)) and the HHS sample provisions are the baseline.

How to verify a BAA without relying on lists

Rather than maintaining a list of "which vendors offer a BAA" (which goes stale within weeks), the durable approach is a small in-house checklist applied per vendor:

  1. Search the vendor's site for BAA. Most vendors publish a Trust Center, Compliance page, or Privacy page that names HIPAA and references a downloadable or on-request BAA.
  2. Check the standard contract. Many vendors auto-include BAA terms in the master services agreement (MSA) or include them as a HIPAA addendum that attaches when the customer identifies as a HIPAA covered entity. The contract should reference 45 CFR 164.504(e)) or the equivalent Privacy Rule citation.
  3. Compare to the HHS sample provisions. The BAA must include the elements at 164.504(e)(2)(2)): permitted and required uses and disclosures, safeguards, reporting of unauthorized use or disclosure, subcontractor flow-down, individual access support, accounting support, internal practices, return or destruction at termination, and breach reporting tied to 164.410.
  4. Check the breach reporting clause. Look for the specific notice clock and the elements the BA must report. The Security Rule does not set a fixed BA breach notice clock; the BAA usually does (commonly 5-15 days from discovery).
  5. Read the subcontractor flow-down. The BAA must require the BA to enter into BAAs with its own subcontractors that handle PHI. This is the chain the 2013 Omnibus rule made explicit.
  6. Note the indemnification and limitation of liability. These vary by vendor; not regulatory requirements, but practically important.
  7. Confirm the signatory. Some vendors require the BAA be executed by the legal entity rather than the practice DBA.

Common categories where the BAA question comes up

For a typical small practice these are the categories where practices are most likely to need to chase down a BAA:

  • The EHR itself. Look for the BAA inside the vendor's contract bundle or downloadable from a Trust Center page.
  • Cloud productivity (Microsoft 365, Google Workspace). Both offer BAAs but the BAA must be enabled in the admin console. Without enabling it, the BAA is not in force.
  • Telehealth platform. Generic consumer video (FaceTime, Facebook Messenger, consumer Zoom) does not offer a BAA; the HIPAA-eligible tier of Zoom or healthcare-specific telehealth tools does.
  • Patient communication / reminder vendor. Most healthcare-specific reminder vendors offer a BAA; generic SMS gateways usually do not.
  • AI scribe, ambient documentation, or AI summary tools. Newer category; vendors vary widely. Read carefully.
  • Web analytics and patient acquisition tools. OCR's December 2022 bulletin on online tracking (partially vacated by a 2024 federal court but with the BAA position retained where PHI is implicated) raised the bar here.
  • Marketing CRM. Where it pulls patient lists, it's a BA. Generic marketing platforms generally do not offer a BAA.
  • Payment processor. Most operate as conduits; many do not offer a BAA. Verify the data fields exchanged. The HHS conduit FAQ is the touchstone.
  • Shredding service. Most healthcare-focused shredders offer a BAA.
  • IT support / MSP / managed firewall. Should have a BAA if they have system access; most healthcare-focused MSPs do.

Practical inventory format

A defensible vendor and BAA inventory captures:

  • Vendor legal name and DBA
  • Product or service
  • Category (EHR, clearinghouse, MSP, etc.)
  • BAA status (executed / pending / not required / not available)
  • BAA effective date
  • BAA file location
  • Data flow summary (what ePHI moves, where it lands, how it gets back)
  • Renewal or re-paper date
  • Practice owner (named person)
  • Notes — e.g., "Microsoft 365 BAA enabled in admin center 2026-01-15"

The Security Rule requires this kind of record-keeping in spirit if not by exact citation; 164.316 and 164.530(j)) together set the six-year retention baseline.

What to do when a vendor says "we don't need a BAA"

If the vendor is in the ePHI data path and refuses a BAA, two real options:

  1. Negotiate. Ask for the vendor's published explanation and have counsel review it. Some vendors have legitimate conduit positions; many do not.
  2. Replace. If the function involves regular access to PHI and the vendor will not sign a compliant BAA, the practice is taking on legal risk by continuing the relationship. The Security Rule expects covered entities to obtain BAAs from business associates as a precondition of the engagement.

What about subcontractor BAAs

A covered entity does not sign the subcontractor BAA, but it is entitled to know whether the BA has executed BAAs with its subcontractors. Increasingly, practices ask for that confirmation as a standard part of vendor due diligence.

Restraint about claims

A BAA is a single contract document. It does not, by itself, make a practice compliant. The Security Rule is a continuing program. A current vendor and BAA log is one component of that program.

How D3rx fits

D3rx SRA Binder Studio includes a vendor and BAA register, prompts for the data flow per vendor, and surfaces the 164.504(e)(2)(2)) BAA element list for review. It is a point-in-time administrative documentation aid; the practice remains responsible for executing and maintaining the actual agreements.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
  2. 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
  3. sample provisionshttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  4. 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410
  5. bulletin on online trackinghttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
  6. conduit FAQhttps://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html
  7. 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
  8. 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides