Why Business Associate Agreements (BAAs) Matter More Than Ever in 2026
Business Associate Agreements used to feel like paperwork. In 2026, they are one of the clearest ways regulators and plaintiffs’ attorneys measure whether a small healthcare organization took vendor risk seriously. This guide explains who really counts as a business associate, what your BAAs need to say, and how to close gaps before a breach forces the issue.
Key Points (at a glance)
- A business associate is any person or company, outside your workforce, that performs functions involving the use or disclosure of PHI for you, including IT, billing, EHR, and cloud vendors.
- HIPAA requires written BAAs that spell out permitted uses and disclosures, safeguards, breach reporting duties, and downstream subcontractor obligations.
- OCR enforcement and guidance now regularly focus on vendor management and missing or weak BAAs as key failures, including for small and mid‑sized providers.
- BAAs must cover IT providers and cloud platforms like email, backup, telehealth, analytics, and even some online tracking technologies.
Who Counts as a Business Associate in 2026
Under 45 CFR 160.103, a business associate is any person or entity (other than your workforce) that performs functions or services for you that involve creating, receiving, maintaining, or transmitting PHI. HHS guidance makes clear that this includes a wide range of vendors, not just “healthcare” companies.
For a small Montana medical or dental practice, common business associates include:
- IT service providers and MSPs that have access to systems or data with PHI.
- Cloud‑based EHR vendors.
- Billing and revenue cycle companies.
- Cloud email, file storage, backup, and archiving providers configured to handle PHI.
- Telehealth and patient communication platforms.
- Data transmission services and health information organizations that move PHI on your behalf.
Some vendors that only provide equipment or services without PHI access may fall outside the definition, but the threshold is lower than many practices assume. If the vendor can see, store, or transmit PHI while doing work for you, they probably need a BAA.
What Must Be in a BAA (and What Regulators Look For)
HIPAA’s Privacy Rule requires covered entities to obtain “satisfactory assurances” that business associates will safeguard PHI, documented through a contract that meets the standards in 45 CFR 164.504(e).
Regulators and legal commentators highlight several core elements they expect to see:
- Permitted and required uses and disclosures. The BAA must define how the business associate may use and disclose PHI and prohibit uses not allowed by HIPAA.
- Safeguards and compliance obligations. The business associate must agree to implement appropriate administrative, physical, and technical safeguards and comply with applicable Security Rule requirements.
- Breach and incident reporting. The agreement must require prompt reporting of breaches and security incidents to the covered entity, so you can meet Breach Notification Rule deadlines.
- Subcontractor flow‑down. Business associates must ensure that any subcontractors who handle PHI agree to the same restrictions and conditions.
- Access, amendment, and accounting support. The BAA should address how the business associate will help with patient access requests, amendments, and accounting of disclosures when they hold PHI.
- Return or destruction of PHI. At termination, the business associate must return or destroy PHI where feasible or continue to protect it if destruction is not possible.
OCR investigations routinely request copies of BAAs and evaluate whether they were executed, complete, and followed in practice. Weak or missing terms around breach reporting and security safeguards are frequent pain points.
BAAs With IT Providers and Cloud Platforms
In 2026, many of your highest‑risk business associates are IT and cloud vendors. Federal rules and guidance make several expectations clear:
- Managed IT and MSPs. If they administer systems with PHI, remote into servers or workstations, manage backups, or monitor security, they are business associates and must sign a BAA.
- Cloud email and productivity suites. When configured to store or transmit PHI (for example, email with PHI, shared drives, or collaboration tools), they are business associates and must support HIPAA‑compliant configurations and BAAs.
- Cloud backup and archiving providers. These vendors typically maintain PHI as part of backups and must be treated as business associates, with clear obligations around encryption, retention, and recovery.
- Telehealth and patient communication platforms. OCR has made clear that many telehealth and remote communication tools will require BAAs when used to deliver care and transmit PHI.
- Online tracking and analytics vendors. Updated OCR guidance on tracking technologies clarifies that if tracking tools on your website collect PHI or information that could be tied to individuals seeking care, a BAA or proper authorization may be required.
Big Sky Cybersecurity often steps in here as Montana’s crisis response specialists. We help practices and compliance‑heavy businesses evaluate whether IT and cloud vendors are truly operating under appropriate BAAs and security commitments, not just marketing claims.
The Risks of Missing or Weak BAAs
A missing or weak BAA is not just a technical violation. It directly affects how a breach unfolds and how painful the aftermath becomes.
Recent enforcement and best‑practice analyses highlight several concrete risks:
- Regulatory penalties and corrective action plans. OCR has resolved cases where vendors mishandled PHI without a proper BAA by imposing settlements and corrective plans focused on vendor inventory, contract remediation, and monitoring.
- Shared liability for vendor mistakes. Even though business associates are directly liable under HIPAA, covered entities remain responsible for obtaining satisfactory assurances and overseeing vendors.
- Investigation headaches. During an investigation, OCR expects to see evidence of vendor due diligence, executed BAAs, and follow‑through when problems are identified. Missing documents can significantly worsen the outcome.
- Insurance complications. Cyber and professional liability insurers increasingly scrutinize vendor management, including BAAs, as part of underwriting and post‑incident review.
When a billing company, IT provider, or cloud vendor causes a breach, a strong BAA and a practiced incident response plan can be the difference between a contained event and a long‑running crisis.
How To Inventory Vendors and Close BAA Gaps
Closing BAA gaps starts with a clear view of who touches your data. OCR and industry guidance recommend a structured approach to vendor management:
- Build a complete vendor list. Include EHRs, billing companies, IT and MSPs, cloud email and storage, backup services, telehealth platforms, marketing and analytics services, and any other tools that may touch PHI.
- Classify which vendors are business associates. Use the HIPAA definition: do they create, receive, maintain, or transmit PHI on your behalf, beyond your workforce? If yes, they likely require a BAA.
- Collect and review existing BAAs. Confirm that agreements exist, are signed, and include core HIPAA‑required terms such as safeguards, breach reporting, and subcontractor obligations.
- Identify and remediate gaps. For missing BAAs, either obtain appropriate agreements or reconfigure services so they do not handle PHI. For weak BAAs, work with counsel to update language and align with your risk tolerance.
- Integrate BAAs into incident response. Ensure your incident response plan includes vendor notification, joint investigation steps, and post‑incident BAA review and updates.
Big Sky Cybersecurity helps Montana organizations execute this process as part of a battle tested protection strategy. We inventory vendors, flag high‑risk relationships, and integrate BAAs into real‑world cybersecurity crisis response workflows so your contracts match what actually happens when an incident occurs.
FAQ: BAAs and Small Practices in 2026
We are a small practice. Do we really need BAAs with every vendor that might see PHI?
Yes. HIPAA requires covered entities of all sizes to obtain written BAAs with any vendors that create, receive, maintain, or transmit PHI on their behalf. OCR has enforced these requirements against small and mid‑sized providers, not just large systems.
Is our IT provider a business associate if they just “manage our network”?
If their work involves access to systems that store or process PHI, they are generally considered business associates and should be covered by a BAA. This includes many MSPs and security monitoring providers.
Do we need BAAs for cloud email and file storage?
If those services are used to send, receive, or store PHI, then yes, they typically need to provide HIPAA‑compliant services and execute BAAs. Configuration and access controls also matter, not just the contract.
How do BAAs affect breach response?
BAAs define how quickly business associates must notify you of incidents, how they cooperate with investigations, and what safeguards they must maintain. During an OCR investigation, BAAs and related documentation are a key part of demonstrating due diligence.
How can Big Sky Cybersecurity help us with BAAs and vendor risk?
We work with Montana healthcare organizations and compliance‑heavy businesses to inventory vendors, identify business associates, and align BAAs with real security practices and incident response plans. As Montana’s crisis response team, we bring digital forensics, incident response, and managed cybersecurity monitoring so your vendor contracts are backed by battle tested protection when prevention fails.
Next Step: Turn BAAs Into Real Protection, Not Just Paper
BAAs are no longer background legal documents. In 2026, they are front‑and‑center evidence of how seriously you manage vendor risk and how ready you are when a vendor mistake becomes your breach.
If you manage PHI in Montana and are not sure whether your BAAs would stand up in a crisis, it is time to get clarity before a regulator or plaintiff forces the issue.
