A Business Associate Agreement is one of the most important — and most overlooked — compliance documents in a dental practice. If any outside vendor accesses, stores, or transmits your patient data, HIPAA requires a signed BAA before they do that work. Most practices are missing more of these than they realize.
What a BAA Is and Why It Exists
Under HIPAA, your dental practice is a Covered Entity — you create and handle Protected Health Information (PHI) as part of delivering care. When you hire an outside company that will access or handle that PHI on your behalf, that company becomes a Business Associate. The law requires a written contract — a Business Associate Agreement — that obligates the vendor to protect PHI under the same standards HIPAA places on you.
The BAA doesn't just protect your patients. It protects your practice. Without one, you bear full liability for how that vendor handles your patient data. If they suffer a breach, you can be held responsible as if the breach happened in your own office.
Who Needs a BAA
The trigger is simple: does this vendor ever see, store, process, or transmit PHI? If yes, you need a BAA. In a typical dental practice, that list is longer than most owners expect:
Almost Always Required
- Practice management software vendors (Dentrix, Eaglesoft, Curve Dental, Carestream) — they host or access your patient records
- Cloud backup and storage providers — if patient data is in the backup, the backup vendor is a Business Associate
- IT support companies and managed service providers — if your IT team can access systems containing PHI, a BAA is required
- Email encryption providers (Paubox, Zix, LuxSci) — they handle PHI in transit
- Billing and insurance claim services — they process patient diagnoses and treatment codes
- Dental imaging and radiology software vendors — X-rays and CBCT scans are PHI
- Electronic health record platforms and any portals they include
- Transcription and clinical documentation services
Often Overlooked
- Google Workspace and Microsoft 365 — if used to store, send, or access PHI, a BAA must be signed separately (it is not automatic)
- Document shredding companies — they handle physical records containing PHI
- Answering services and after-hours call centers — if they take messages that include patient information
- Patient communication platforms (appointment reminders, recall systems) that include patient names and procedure details
- Accounting and bookkeeping firms — if they access billing records that include patient diagnoses or treatment information
- Security camera and alarm monitoring companies — if cameras are positioned where patient records or screens are visible
What a BAA Must Include
HIPAA specifies minimum required provisions. A valid BAA must:
- Define the permitted uses and disclosures of PHI by the vendor
- Require the vendor to use appropriate safeguards to prevent unauthorized use or disclosure
- Require the vendor to report any breach or unauthorized disclosure to you
- Require the vendor to pass the same obligations down to any subcontractors who access PHI
- Require the vendor to return or destroy PHI at the end of the relationship
- Give you the right to terminate the agreement if the vendor violates its terms
Many vendors provide their own BAA templates. Review them before signing — some contain provisions that limit their liability or narrow their obligations in ways that leave your practice exposed.
What Happens Without One
Operating without a required BAA is itself a HIPAA violation — separate from any breach that may occur. OCR has levied significant penalties against practices that had no BAAs with vendors handling their data, even when no breach occurred. In the event of an actual breach involving a vendor without a BAA, your practice faces compounded liability: the breach itself and the missing agreement.
Penalties for HIPAA violations are tiered by culpability. A missing BAA typically falls into the "willful neglect" category if OCR determines the practice knew or should have known the requirement applied — and willful neglect penalties start at $10,000 per violation.
Getting Your BAAs in Order
- Make a vendor inventory. List every outside company that has access to your systems, patient records, or communications. Cast a wide net — include software vendors, IT support, cloud services, and any third-party service provider.
- Identify which ones require a BAA. For each vendor, ask: does this company ever see, process, or store PHI? If there's any doubt, treat it as a yes.
- Check your existing agreements. Many practices have BAAs buried in original vendor contracts or onboarding paperwork — confirm whether one exists before requesting a new one.
- Request missing BAAs. Reputable vendors will have a BAA readily available. A vendor who refuses or is unfamiliar with the requirement is a red flag — and continuing to use them without one is a compliance risk you're accepting.
- Store signed BAAs where you can find them. Maintain a central log of all signed BAAs with the vendor name, date signed, and renewal or review date. If OCR ever audits your practice, producing these quickly matters.
Not sure which of your vendors require a BAA? We help Colorado Front Range dental practices conduct vendor audits and close HIPAA compliance gaps — including BAA reviews, technical safeguards, and staff training.
Schedule a Free ConsultationThe Bottom Line
A BAA is not a formality — it's a legal requirement with real consequences for missing it. Most dental practices that haven't done a formal vendor audit are operating with at least a few gaps. Running through your vendor list, confirming what exists, and filling in what's missing is one of the highest-value compliance actions a practice can take in an afternoon.