BAA vs. Confidentiality Agreement: Which One Gets Signed?

Practical guidance for healthcare teams and business associates

In June 2023, OCR settled with iHealth Solutions for $75,000 after finding the business associate had exposed the ePHI of 267 individuals and failed to have business associate agreements in place with its own subcontractors [1]. The violation was not a hack. It was not a lost laptop. It was a missing contract. The wrong contract - or no contract at all - is one of the most common HIPAA findings OCR cites, and it is one of the easiest to prevent.

But here is the part that trips up every practice manager: not every person who walks through your door needs a business associate agreement (BAA). Some of them need a confidentiality agreement instead. Knowing which contract applies to which vendor is not a gray area. There is one question that answers it every time.

When Vendors Need a BAA vs. a Confidentiality Agreement

The distinction between a BAA and a confidentiality agreement is not about the size of the company, the frequency of their visits, or how much PHI they might see. It is about one thing: the task they are being paid to perform.

Is Their Task Directly Tied to PHI?

That is the only question. If the answer is yes - if the vendor is being expressly paid to create, receive, maintain, or transmit protected health information (PHI) as part of their job - they are a business associate under 45 CFR 160.103, and a BAA is required before they touch a single record.

If the answer is no - if the vendor’s task has nothing to do with PHI, but they happen to be inside your office where PHI exists - they are not a business associate. They do not need a BAA. But you still have a compliance risk to manage. That is where a confidentiality agreement comes in.

This is the line that most compliance content ignores entirely. They tell you “sign a BAA with your vendors” and leave it at that. But you have vendors, contractors, and service people coming in and out of your office space every single day. Not all of them are business associates. Treating them all the same creates unnecessary overhead, confuses your vendor management, and can actually weaken your compliance posture by diluting what a BAA is supposed to mean.

What a Business Associate Agreement Actually Is

A BAA is a corporate-level contract that works from the top down. It binds one organization to another. It imposes obligations under the HIPAA Privacy Rule and Security Rule. It requires the business associate to implement administrative, physical, and technical safeguards. It mandates breach notification. It gives you the right to terminate the relationship if they violate the agreement [2].

A BAA is required under 45 CFR 164.504(e) whenever a covered entity engages a vendor whose function, activity, or service involves the use or disclosure of PHI.

The relationship is built around PHI. The vendor exists in your workflow specifically because you need them to handle patient data. Examples:

  • Your EHR vendor stores and transmits patient records
  • Your billing company processes claims containing diagnosis codes and patient identifiers
  • Your IT managed service provider has access to systems containing ePHI
  • Your cloud backup provider stores encrypted copies of your patient database
  • Your shredding company destroys documents containing PHI
  • A consultant you hire to conduct a risk assessment reviews your PHI workflows

Every one of these vendors is being paid to do a job that is directly related to protected health information. The BAA is the contract that makes that relationship HIPAA-compliant.

What a Confidentiality Agreement Actually Is

A confidentiality agreement is the opposite of a BAA in almost every structural way. Where a BAA is corporate - binding one organization to another from the top down - a confidentiality agreement is personal. It is a person-to-person contract. The individual signing it is declaring: I am here to do my job. If I happen to see protected health information while I am on these premises, I will not use it, share it, or disclose it to anyone.

That is it. No Security Rule obligations. No breach notification procedures. No audit rights. No subcontractor flow-down requirements. It is a focused, narrow agreement that addresses a specific, limited risk: someone who is not there to work with PHI might accidentally encounter it.

A confidentiality agreement does not make someone a business associate. It does not impose HIPAA obligations on them. What it does is create a documented safeguard - evidence that you identified the risk of incidental PHI exposure, took a reasonable step to mitigate it, and put it in writing. That is exactly what OCR wants to see if they ever investigate your practice.

The Water Guy, the Mail Carrier, and the Sharps Collector

Think about the people who walk through your office on any given week. The person who delivers your water. The mail carrier. Someone from a medical waste company who picks up your sharps containers. The HVAC technician. A copier repair tech.

None of these people are being paid to work with PHI. The water delivery person is there to swap out a jug. The sharps collector is there to pick up a biohazard container. Their task has zero to do with patient data.

But they are inside your four walls. They walk past the front desk. They might see a patient sign-in sheet. They could glance at a screen showing a patient schedule. They might overhear a phone call. The sharps collector walks through clinical areas where charts, labels, and documents with PHI are visible.

HHS has addressed this directly. In FAQ 243, HHS states that a business associate contract is not required with persons whose functions “do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all” [3].

Incidental means it was not the purpose of their visit. It was not part of their job. It was a by-product of being physically present in a space where PHI exists.

But “no BAA required” does not mean “no action required.” You still have an obligation under the Privacy Rule to implement reasonable safeguards to limit incidental disclosures (45 CFR 164.530(c)). A confidentiality agreement is one of those safeguards. It puts the individual on notice that they may encounter sensitive information, and it documents their commitment to keep it private.

Side-by-Side Comparison

Business Associate Agreement Confidentiality Agreement
Type of contract Corporate, organization-to-organization Personal, individual-to-organization
Direction Top-down (binds the company) Bottom-up (binds the person)
When required Vendor’s task is directly tied to PHI Vendor may incidentally encounter PHI
HIPAA mandate Required under 45 CFR 164.504(e) Not HIPAA-mandated, but a reasonable safeguard
Scope Privacy Rule, Security Rule, breach notification, subcontractor obligations Promise not to use or disclose PHI
Examples EHR vendor, billing company, IT provider, shredding company Water delivery, mail carrier, sharps collector, HVAC tech
Termination rights Yes, for material breach Typically not applicable
Breach notification Required within 60 days of discovery Not required

What Happens When You Pick the Wrong One

Getting it wrong in either direction creates problems.

Signing a BAA when a confidentiality agreement would suffice creates administrative bloat. You are now tracking that vendor as a business associate. You owe them a copy of your Notice of Privacy Practices limitations. You need to monitor their compliance. You may need to verify their safeguards annually. For the water delivery company, that is absurd - and it dilutes your attention from the vendors who actually handle PHI and present real risk.

Signing a confidentiality agreement when a BAA is required is a HIPAA violation. If a vendor is creating, receiving, maintaining, or transmitting PHI on your behalf and you do not have a BAA in place, you are in violation of 45 CFR 164.502(e) regardless of whether a breach ever happens. OCR does not need a breach to find a violation - the missing contract alone is enough. Penalties for missing BAAs range from $137 to $68,928 per violation, with annual maximums up to $2,067,813 per violation category [4].

The test is always the same: is the vendor’s task directly tied to PHI? If you have to think about it for more than a few seconds, the answer is usually clear once you ask the question the right way.

FAQs

Does a janitorial service need a BAA? No. HHS has stated that janitorial services are not business associates because their work does not involve the use or disclosure of PHI. Any contact with PHI that occurs while cleaning is incidental [3]. A confidentiality agreement is appropriate.

What about a shredding company? Yes, a shredding company needs a BAA. Their entire task is destroying documents that contain PHI. The service is directly tied to protected health information, making them a business associate [2].

Is a confidentiality agreement required by HIPAA? No. HIPAA does not specifically require confidentiality agreements for non-business-associate vendors. However, the Privacy Rule requires covered entities to implement reasonable safeguards to limit incidental disclosures. A confidentiality agreement is a documented safeguard that demonstrates compliance with that requirement.

What if a vendor’s role changes and they start handling PHI? The moment a vendor’s task becomes directly tied to PHI, a BAA is required. Confidentiality agreements do not convert into BAAs. You need to execute a new agreement that meets the requirements of 45 CFR 164.504(e).

Can I use a single template for all vendors? No. A BAA and a confidentiality agreement serve different purposes and contain different provisions. Using a BAA template for someone who only needs a confidentiality agreement overcomplicates the relationship. Using a confidentiality agreement when a BAA is required leaves you exposed to HIPAA penalties.

Does the “conduit exception” apply here? The conduit exception is separate. It applies to entities that transport PHI but do not access it - like the U.S. Postal Service or a courier. They are not business associates because they are merely transporting sealed information. The confidentiality agreement scenario is different: these are people inside your facility who might see PHI incidentally while performing an unrelated task.

Sources

  1. HHS OCR - iHealth Solutions Settlement, June 2023
  2. HHS - Business Associates Guidance
  3. HHS FAQ 243 - Business Associate Contract for Inadvertent Contact with PHI
  4. HIPAA Fines Increased in 2026
  5. 45 CFR 160.103 - Definition of Business Associate
  6. 45 CFR 164.504(e) - Business Associate Contract Requirements
  7. HHS Model Business Associate Agreement

One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more

This content is for educational and informational purposes only and should not be construed as legal advice.