Business Associate Agreements (BAAs): Who Needs One—and Why It’s More Than Paper

If HIPAA is the rulebook, the Business Associate Agreement is the handshake that makes it real. A BAA doesn’t just say “we care about privacy.” It spells out who touches ePHI, what they’re allowed to do, how they’ll protect it, and what happens if things go sideways. For small practices in Fort Myers, Naples, Cape Coral, and Sarasota, BAAs are the difference between assuming a vendor is careful and requiring it.

The practical point of a BAA

A good BAA lines up three things: purpose, safeguards, and accountability. Your vendor (the “business associate”) can use or disclose PHI only to do the job you

hired them for. They must apply reasonable technical and organizational safeguards, flow those requirements down to any subcontractors, and notify you quickly if something goes wrong. In plain English: no side quests, no excuses, no black boxes.

Who actually needs one (the real-world list)

Some vendors are obvious (EHR, billing, cloud storage). Others fly under the radar:

• Your MSP/IT partner (that’s us): if we can access systems that store or transmit ePHI—even potentially—we’re a business associate and should sign a BAA. Under normal circumstances we openly sign BAA agreements the moment we learn HIPAA regulations are involved.

• VoIP/UCaaS & voicemail-to-email: voice can carry PHI; voicemail transcriptions and email delivery make it explicit.

• eFax & scanning services: PHI in, PHI out—yes, they need a BAA.

• Backup, archive, disaster recovery, and email security gateways: if they store/route PHI, they’re in scope.

• Telehealth platforms, patient reminder tools, portals, forms, e-signature, transcription: if they touch, process, or host PHI, they’re in.

Who usually doesn’t: pure “conduits” that only transmit data and can’t access it (think postal mail or certain carriers) and entities that never see PHI (your coffee vendor). When in doubt, document why you decided “BAA not required.”

What belongs in the agreement (beyond the legalese)

Strong BAAs do a few simple but powerful things:

• Define permitted use in practical terms (“appointment reminders,” “secure hosting of the EHR database,” etc.).

• Name the safeguards: encryption standards, access controls, logging, retention, and how devices/media are disposed.

• Set the breach-notification clock (and make sure it’s fast enough for you to meet federal/state timelines).

• Flow-down to subcontractors: if your vendor uses a sub-vendor, the same rules apply there too.

• Exit plan: PHI is returned or destroyed—no orphaned backups floating around.

The gray areas that cause trouble

Two spots trip clinics up: marketing tools and “we never look at the data” claims. If a platform sends reminders, hosts forms, or inspects messages for security, it touches PHI in some way. And “we could access it in an emergency but don’t usually” still means a BAA is appropriate. Treat BAAs as normal business hygiene, not awkward one-offs.

Why this matters (even when nothing’s wrong)

Insurers and large partners increasingly ask to see your vendor list and BAAs before they’ll sign or renew. During a review, clean BAA coverage shortens the conversation; missing BAAs drag it out. Operationally, a solid BAA forces clarity: who’s doing what, where the data lives, and how you’ll talk to each other on a tough day.

At MET Florida, we built our Managed HIPAA Compliance program around that clarity. We sign BAAs, we help you keep a living vendor inventory, and—because we pass software at-cost to Managed IT Services clients from a 700+ vendor ecosystem (including Microsoft)—you avoid stacking tools you don’t need.

FAQs

Do we really need a BAA with our IT provider? Yes—if your MSP can access systems that store or transmit ePHI (even potentially), they’re a business associate and should sign a BAA.

Our VoIP provider says “we don’t store PHI.” Still need a BAA? If voicemail, recordings, or transcripts can contain PHI—or if voicemail routes to email—treat them as a business associate and get a BAA.

What about eFax? eFax services process PHI by design. You need a BAA.

Are carriers or the Post Office business associates? Pure “conduits” that just transport and can’t access content typically aren’t BAs. Document the rationale in your vendor file.

A vendor says they only access data in emergencies.Potential access still counts. If they could touch PHI, require a BAA.

We use a marketing/reminder tool—does that need a BAA? If it handles appointment reminders, forms, or messaging with patient info, yes.

What should the breach-notification timeline be? Fast enough for you to meet federal/state clocks. “Without unreasonable delay” is the standard; many practices require days, not weeks from the vendor.

Bottom line: BAAs aren’t busywork—they’re how you make sure partners protect your patients as carefully as you do. Get them signed, keep them current, and your next questionnaire goes a whole lot faster.

This article is informational, not legal advice. If you want help mapping vendors and shoring up BAAs, book a 15-minute consult

Want help turning your environment audit-ready? MET Florida can help.

Start with a free consultation and we'll show you why MET Florida is trusted by hundreds of local businesses in Southwest Florida.

For more information about our Managed IT service and other services check out our service offerings

Running a medical office? MET Florida specializes in medical practices just like yours, check out our Managed HIPAA compliance services.