BAA & Vendor Management

Business Associate Agreement FAQ

BAA Vendor Vetting: Who Needs One & What to Review

15 questions covering Business Associate definitions, specific vendor BAA requirements for Microsoft 365, Google Workspace, IT companies, shredding services, and more. Plus vendor vetting, review processes, and what to do when a vendor refuses to sign.

Business Associate Agreement FAQ

BAA Basics

A Business Associate is a person or company paid to do work that involves patient data (PHI). If the work involves using, sharing, sending, storing, or handling PHI, that company may be a Business Associate.

A BAA is a contract between two parties who handle patient data. It spells out who is in charge of keeping that data safe. Learn more about our BAA management services.

Many people think every vendor needs a BAA. That is not true. Being a vendor and being a Business Associate are not the same thing.

Specific Vendor BAA Requirements

It depends on how you use it. If Microsoft stores, sends, or handles your patient data (ePHI), then yes, you likely need a BAA with them.

If you use Google Workspace to store, send, or handle patient data, you should get a BAA from Google.

In most cases, yes. Even if an IT company does not store patient data directly, their work often gives them access to systems that hold it.

Yes. Shredding companies destroy records that contain patient data, so they are almost always Business Associates.

Usually, no. But you should still take basic steps to protect private info. Some practices use a simple privacy agreement just in case.

BAA Management

Fix a missing BAA as soon as you find it.

Most practices review their BAAs once a year or when there is a major change in the vendor relationship.

Vendor Vetting & Due Diligence

One of the biggest mistakes is failing to evaluate vendor risk.

At a minimum, check if a BAA is needed and review vendor risk. Use a short survey, a security review, or both.

Know exactly how patient data will be shared, stored, sent, accessed, or released.

Yes. A vendor can decline to sign any agreement.

Weigh the risks of keeping the vendor. Decide if you can still use them safely or if you need to find a new option.

One Guy Consulting helps practices inventory their vendors, determine which require BAAs, and manage the entire BAA execution process. Our vendor management service includes risk evaluation and ongoing monitoring.

Need Help Managing Your Business Associate Agreements?

Book a free 30-minute intro call. We will review your vendors, tell you which ones need BAAs, and show you how we handle the whole process.

Book Your Free Intro Call

More HIPAA FAQ Resources