In February 2024, hackers broke into Change Healthcare — the company that steps roughly 15 billion healthcare transactions a year — and stole data on an estimated 190 million people. It became the largest healthcare data breach in history. Hospitals, pharmacies, and habits across the country couldn’t process claims for weeks. The financial damage to UnitedHealth Group, Change Healthcare’s parent company, exceeded $3 billion.
Every single healthcare group that shared patient data with Change Healthcare did so under a Business Associate Agreement. And when the dust settled, the question that kept coming up was the same one that comes up after every major vendor breach: did those BAAs actually protect anyone?
The answer, in most cases, is that the agreements were there but the oversight wasn’t. And OCR has made clear — through 21 enforcement actions in 2025 alone, the second-highest annual total on record — that having a signed BAA is only the beginning of your duty.
Here are the seven mistakes that keep getting habits fined, looked into, and exposed.
Mistake 1: Not Having BAAs With ALL Vendors Who Touch PHI
This is the most common failure OCR finds, and the enforcement examples are brutal.
Advanced Care Hospitalists in Florida paid $500,000 after PHI for over 9,000 patients ended up publicly visible on a medical billing contractor’s website. The root cause? No BAA existed between Advanced Care and the billing company. The practice assumed the contractor knew the rules. The contractor apparently didn’t.
Pagosa Springs Medical Center paid $111,400 after sharing ePHI with a scheduling vendor without a valid BAA in place.
The Center for Children’s Digestive Health paid $31,000 for failing to update a BAA after the Omnibus Rule changed rules — meaning every piece of PHI shared after the rule-keeping deadline was technically an not allowed sharing.
The pattern is always the same: a practice shares PHI with a vendor, assumes the relationship is covered, and discovers too late that no valid agreement exists.
The Vendors Practices Commonly Miss
- Cloud storage providers. Google Drive, Dropbox, OneDrive — if patient data is stored there, you need a BAA. Google and Microsoft offer BAAs for their business-tier products. Personal and free-tier accounts do not qualify, and using them for PHI is itself a breach.
- IT support companies. Any IT firm that has remote access to systems containing PHI is a business associate. That includes the guy who comes in to fix your server. That includes your managed service provider.
- Document shredding and records destruction. The company that picks up your paper records? Business associate. The service that destroys old hard drives? Business associate.
- Medical transcription services. Whether it’s a large company or a freelancer, if they’re transcribing clinical notes with patient information, they’re a business associate.
- Answering services. If your after-hours service hears or records patient information, BAA required.
- Collection agencies. Sending outstanding accounts to collections means sharing PHI. BAA required.
- Web hosting and patient portals. Any hosting company that stores a patient-facing portal where PHI lives needs a BAA.
- Practice management software. Separate from your EHR — scheduling tools, billing platforms, and analytics software that steps PHI all require BAAs with their vendors.
The test is simple: does this vendor create, receive, keep, or transmit PHI on your behalf? If yes, BAA required. No exceptions based on vendor size, reputation, or how unlikely a breach seems.
Mistake 2: Using a Generic BAA Template Without Customizing Breach notice Timelines
A valid BAA must include specific elements under 45 CFR 164.504(e), including rules for reporting breaches and security incidents. But the details matter enormously, and generic templates downloaded from the internet almost always get them wrong.
The biggest gap: breach notice timelines. HIPAA requires covered groups to notify affected people within 60 days of discovering a breach. But how quickly does your business associate have to tell you about the breach so your clock can start? If your BAA says “within a fair time” or doesn’t specify at all, you’ve got a problem.
Under the proposed 2025 Security Rule updates, business associates would be required to notify covered groups within 24 hours of activating their backup plans — a dramatically tighter window than most current BAAs contemplate. If your existing agreements say “30 days” or “promptly,” they’re already behind where enforcement is heading.
A good BAA specifies an exact number of hours or days for the BA to report a breach or security incident to you. Seventy-two hours is common. Twenty-four hours is better. “fair” is useless.
Mistake 3: Not Specifying What Happens When the BAA Terminates
What happens to patient data when you stop working with a vendor? Many BAAs don’t say — or say something vague like “data will be handled per relevant law.”
A proper BAA includes a ending clause that requires the vendor to either:
- Return all PHI to you in a specified format, or
- Destroy all PHI and provide written certification of destruction, or
- If return or destruction isn’t feasible (e.g., archived in backup systems), the vendor must explain why and continue to protect the data under the BAA’s terms indefinitely.
Without this clause, patient data sits in vendor systems forever after the relationship ends. Ex-vendors you haven’t worked with in years can become the source of a breach notice — and your name is on it because the PHI originated with you.
Also missing from many BAAs: what happens if the vendor materially breaches its duties? A strong BAA gives you clear ending rights and requires the vendor to cooperate with breach response even after the contract ends.
Mistake 4: Failing to Track BAA Expiration Dates and Renewals
You signed a BAA in 2019. Since then, the vendor changed ownership, expanded their services, migrated to a new cloud platform, and hired 200 new employees. Your BAA still describes the services and protections from 2019.
This is not a theoretical problem. OCR’s Phase 2 audit found that only 11% of covered groups showed no rule-keeping gaps, with BAA gaps among the most common findings.
BAAs should be reviewed every time the scope of services changes and at minimum annually. Most habits do neither. They sign the agreement, file it, and never look at it again.
How to Build a BAA Tracking System
The fix is boring but effective: keep a centralized BAA tracker. A spreadsheet with vendor name, agreement date, expiration or review date, scope of PHI access, and the file location of the signed agreement. Review it quarterly. Flag anything older than 12 months for renewal review. When OCR asks for written records, “we have it somewhere” is not an answer. A dated spreadsheet showing active management is.
Mistake 5: Not Verifying Your Business Associate’s Actual Security Practices
This is the mistake the Change Healthcare breach exposed on a massive scale.
Every healthcare group that used Change Healthcare had a BAA. The paperwork was in order. But how many of those groups actually verified that Change Healthcare was doing what the BAA required? How many reviewed their security posture, asked about their incident response skills, or checked whether they’d completed a recent risk analysis?
The answer, based on the catastrophic scale of the breach: not enough.
A signed BAA is a legal record. It creates duties. But it doesn’t create security. If your vendor signs a BAA promising to implement “right protections” and then uses unpatched servers, no MFA, and no data scrambling — the BAA didn’t protect your patients. It just gave you a piece of paper to wave during the inevitable lawsuit.
What Vendor Verification Actually Looks Like
- Request your vendor’s most recent risk review or SOC 2 report
- Ask about their data scrambling habits, access controls, and backup steps
- Inquire about their incident response plan and when it was last tested
- Check whether they carry cyber insurance
- Ask if they’ve had any breaches or security incidents in the past three years
Under the proposed Security Rule, this stops being optional. The NPRM published January 6, 2025, would require business associates to provide covered groups with written verification at least once every 12 months confirming they’ve implemented required tech protections. This verification must be validated by a cybersecurity subject matter expert and certified by a person of authority at the BA.
That means annual, written down, expert-validated proof that your vendor is actually doing what the BAA says. Not a checkbox. Not a phone call. Written analysis and certification.
Mistake 6: Missing BAAs With Subcontractors
HIPAA’s duties run downstream. If your billing company uses a cloud platform to store the data it steps for you, that cloud platform is a subcontractor — and your billing company is required to have a BAA with them that includes the same HIPAA protections.
This is exactly the design that made the Change Healthcare breach so devastating. Change Healthcare wasn’t the direct business associate for most of the affected patients. It was a subcontractor — the company behind the scenes processing claims for the insurance companies and clearinghouses that the habits actually contracted with. The PHI flowed through multiple layers, and the breach happened deep in the chain.
You don’t have to directly contract with your vendors’ subcontractors. But you should:
- Know who your BAs’ major subcontractors are
- Verify that your BAA requires BAs to flow down HIPAA duties to their subcontractors
- Ask your BA whether they have BAAs in place with every subcontractor who touches your data
- Include a term requiring BAs to notify you when they add new subcontractors who will have access to PHI
Most habits never ask these questions. The Change Healthcare breach — affecting 190 million people through a subcontractor relationship — is what happens when nobody asks.
Mistake 7: Not Including Incident Response rules and Timelines
A BAA that says “business associate will report security incidents” without specifying what that means in practice is a BAA that will fail you when it matters most.
Your BAA should include:
- Specific notice timelines — how many hours after discovering an incident the BA must notify you (72 hours maximum, 24 hours preferred)
- What counts as a reportable incident — not just confirmed breaches, but suspected incidents and unsuccessful attack attempts that could show targeting
- What information the BA must provide — nature of the incident, data involved, people affected, fixes steps taken
- Cooperation rules — the BA’s duty to support your review, provide forensic data, and assist with breach notices
- backup plan activation notice — under the proposed Security Rule, BAs must notify you within 24 hours of activating their disaster recovery or backup plan
Without these specifics, you’re relying on your vendor’s good judgment about when to tell you something went wrong. The Change Healthcare breach was detected on February 21, 2024. Many habits didn’t understand the full scope of the impact on their patient data for months. A BAA with strong incident response terms gives you earlier warning and more control. If your vendor does get compromised, having a clear response plan makes the difference.
The BAA Audit Checklist
Run through this for every vendor who touches PHI:
Inventory - [ ] Do we have a current, signed BAA with this vendor? - [ ] Does the BAA accurately describe the current scope of services? - [ ] When was the BAA last reviewed or updated? - [ ] Is this BAA tracked in a centralized list with review dates?
Required Elements Under 45 CFR 164.504(e) - [ ] Does it specify allowed uses and shares of PHI? - [ ] Does it require right protections? - [ ] Does it include specific breach/incident reporting timelines (not just “fair”)? - [ ] Does it address subcontractor duties and flow-down rules? - [ ] Does it include a data return/destruction term at ending? - [ ] Does it give us ending rights if the BA materially breaches?
Verification - [ ] Have we reviewed the vendor’s most recent risk review or SOC 2 report? - [ ] Have we verified their data scrambling, access control, and backup habits? - [ ] Do we know who their major subcontractors are? - [ ] Have we confirmed they carry cyber insurance?
Incident Response - [ ] Does the BAA specify a notice timeline in hours (not “promptly” or “reasonably”)? - [ ] Does it require cooperation with our breach review? - [ ] Does it require notice of backup plan activation?
Looking Ahead - [ ] Are we prepared to request annual written verification once the new Security Rule is finalized? - [ ] Have we budgeted for the vendor management process this will require?
How to Fix Your BAA Gaps Today
If you find you’re missing a BAA with a current vendor:
- Minimize PHI sharing with that vendor right away until the BAA is executed
- Contact the vendor and request their standard BAA — most set up vendors have one ready
- Review it against the required elements above before signing
- If they push back on signing a BAA, treat that as a disqualifying red flag — a vendor who refuses to sign a HIPAA-required agreement is not a vendor you should share patient data with
If you find a BAA that’s outdated or missing key terms:
- Reach out to the vendor to negotiate an addendum or full replacement
- Don’t just amend informally — get a signed, dated record
- Prioritize by risk: vendors with the most access to the most sensitive data get updated first
- Document your review process so you can show active rule-keeping management to OCR
The enforcement trend is clear. OCR’s 21 actions in 2025, the proposed annual verification rule, and the Change Healthcare fallout all point in the same direction: the era of signing a BAA and forgetting about it is over. Vendor management is now an active, ongoing rule-keeping duty — and the groups that treat it that way are the ones that won’t end up in the next enforcement headline.
Related Reading
- The Change Healthcare Breach One Year Later — How the largest breach in history reshaped vendor risk management
- Your Vendor Got Hacked — Now What? — Step-by-step response plan when a business associate is compromised
- OCR Just Fined a Substance Abuse Clinic $103K — What Part 2 enforcement means for your BAA duties
- $6.6 Million in HIPAA Fines in 2025 — The enforcement cases that shaped the year
- The affordable HIPAA Compliance Starter Kit — Get your BAAs, risk review, and policies in order
Need help auditing your BAAs and vendor relationships? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services BAA management tool business associate HIPAA compliance