BAA & Vendor Management

Business Associate Agreement FAQ

Which Vendors Need BAAs, How to Vet Them, and What to Review Before Signing

15 questions covering Business Associate definitions, specific vendor BAA requirements for Microsoft 365, Google Workspace, IT companies, shredding services, and more. Plus vendor vetting, review processes, and what to do when a vendor refuses to sign.

Read the FAQ Talk to a HIPAA Consultant
15 Questions Answered

Business Associate Agreement FAQ

BAA Basics

A Business Associate is an individual or organization being paid to perform services involving protected health information (PHI). If the work requires the use, disclosure, transmission, storage, or handling of PHI, the organization may qualify as a Business Associate.

A Business Associate Agreement (BAA) is a contract between two parties handling protected health information that establishes responsibilities for protecting that information. Learn more about our BAA management services.

One of the biggest misconceptions is that every vendor automatically requires a BAA. Vendor status and Business Associate status are not always the same thing.

Specific Vendor BAA Requirements

It depends on how Microsoft 365 is being used. If Microsoft is providing services involving the storage, transmission, processing, or handling of electronic protected health information (ePHI), a Business Associate Agreement may be required.

If your organization is using Google Workspace to store, transmit, or otherwise handle protected health information, you should obtain Google's Business Associate Agreement.

In most cases, yes. Even if an IT company is not directly storing patient information, its responsibilities often provide access to systems containing protected health information.

Yes. Because shredding companies are often responsible for destroying records containing protected health information, they commonly qualify as Business Associates.

Generally speaking, no. However, organizations should still take reasonable steps to protect confidential information and may choose to use confidentiality agreements or other safeguards.

BAA Management

A missing BAA should be addressed immediately upon discovery.

Many organizations adopt an annual review cadence or perform reviews when there is a material change to the relationship.

Vendor Vetting & Due Diligence

One of the biggest mistakes is failing to evaluate vendor risk.

At a minimum, organizations should review whether a Business Associate Agreement is required and evaluate vendor risk through a questionnaire, security review, or other due diligence process.

Organizations should understand exactly how protected health information will be shared, stored, transmitted, accessed, or disclosed.

Yes. A vendor can decline to sign any agreement.

Organizations should evaluate the risks associated with continuing the relationship and determine whether the vendor can continue to be used.

One Guy Consulting helps healthcare organizations inventory their vendors, determine which require BAAs, and manage the entire BAA execution process. Our vendor management service includes risk evaluation and ongoing monitoring.

Need Help Managing Your Business Associate Agreements?

Book a free 30-minute intro call. We will review your vendor relationships, identify which require BAAs, and explain how we manage the entire process.

Book Your Free Intro Call
Related Reading

More HIPAA FAQ Resources

One Guy Consulting

Explore Our HIPAA Compliance Services

Security Risk Assessment HIPAA Gap Analysis Policy Templates HIPAA Staff Training BAA Management Vendor Management