Business Associate Agreement FAQ
BAA Basics
A Business Associate is a person or company paid to do work that involves patient data (PHI). If the work involves using, sharing, sending, storing, or handling PHI, that company may be a Business Associate.
A BAA is a contract between two parties who handle patient data. It spells out who is in charge of keeping that data safe. Learn more about our BAA management services.
Many people think every vendor needs a BAA. That is not true. Being a vendor and being a Business Associate are not the same thing.
Specific Vendor BAA Requirements
It depends on how you use it. If Microsoft stores, sends, or handles your patient data (ePHI), then yes, you likely need a BAA with them.
If you use Google Workspace to store, send, or handle patient data, you should get a BAA from Google.
In most cases, yes. Even if an IT company does not store patient data directly, their work often gives them access to systems that hold it.
Yes. Shredding companies destroy records that contain patient data, so they are almost always Business Associates.
Usually, no. But you should still take basic steps to protect private info. Some practices use a simple privacy agreement just in case.
BAA Management
Fix a missing BAA as soon as you find it.
Most practices review their BAAs once a year or when there is a major change in the vendor relationship.
Vendor Vetting & Due Diligence
One of the biggest mistakes is failing to evaluate vendor risk.
At a minimum, check if a BAA is needed and review vendor risk. Use a short survey, a security review, or both.
Know exactly how patient data will be shared, stored, sent, accessed, or released.
Yes. A vendor can decline to sign any agreement.
Weigh the risks of keeping the vendor. Decide if you can still use them safely or if you need to find a new option.
One Guy Consulting helps practices inventory their vendors, determine which require BAAs, and manage the entire BAA execution process. Our vendor management service includes risk evaluation and ongoing monitoring.
Need Help Managing Your Business Associate Agreements?
Book a free 30-minute intro call. We will review your vendors, tell you which ones need BAAs, and show you how we handle the whole process.
Book Your Free Intro CallMore HIPAA FAQ Resources
- HIPAA compliance FAQ covering basics, risk assessments, training, and policies
- HIPAA audit readiness frequently asked questions
- HIPAA technology and security frequently asked questions
- BAA management service details
- Vendor risk management services
- Real-world HIPAA compliance case studies
- Full pricing comparison with plan details