Business Associate Agreements for dental practices, explained
What a BAA is, when you legally need one, what it must contain, and the everyday places a dental practice gets exposed without one.
A Business Associate Agreement (BAA) is the contract HIPAA requires between a covered entity (your practice) and any vendor that handles PHI on your behalf. It’s not optional and it’s not boilerplate you can skip: without it, sharing PHI with that vendor is itself a HIPAA violation.
Who is a business associate?
A business associate is anyone who creates, receives, maintains, or transmits PHI to perform a service for you. In a dental practice that typically includes:
- Billing / RCM services and clearinghouses
- Practice-management and cloud software vendors (and their hosting providers)
- IT and managed-service providers who can access systems with PHI
- Document shredding and storage companies
- Many AI and analytics tools
Some relationships are not business-associate relationships: another provider you refer a patient to for treatment, or a true “conduit” that only transports data without accessing it (the postal service, an ISP). When in doubt, assume a BAA is needed and confirm.
What a BAA must contain
Under 45 CFR §164.504(e), a compliant BAA has to, among other things:
- Describe the permitted uses and disclosures of PHI
- Require the vendor to implement appropriate safeguards
- Flow the obligations down to any subcontractors
- Require breach and incident reporting back to you
- Support patients’ rights of access and amendment
- Require return or destruction of PHI at termination
- Allow termination if the vendor materially breaches
The subcontractor chain
Your vendor’s vendors matter. A business associate must have its own BAAs with the subcontractors it uses to handle your PHI — a cloud host, an email provider, an AI API. Exposure flows down the chain, which is why “who are your subprocessors?” belongs on your vendor checklist.
Where dental practices get exposed
| Vendor / situation | BAA needed? | Notes |
|---|---|---|
| Billing / RCM service | Yes | Handles PHI directly on your behalf. |
| Practice-management / cloud PMS | Yes | Stores PHI; the host is a subcontractor. |
| Email or texting PHI | Yes | Only via a provider that will sign a BAA — most consumer email/SMS won’t. |
| IT / MSP with system access | Yes | Access to PHI triggers the requirement. |
| Referral to another provider | No | Treatment disclosure, not a BA relationship. |
| Postal service / ISP conduit | No | Transports without accessing content. |
The most common failures are simple: no BAA on file, a “handshake” instead of a signed one, PHI emailed or texted through a provider that never signed, and no inventory of which vendors actually hold PHI.
Frequently asked questions
When does a dental practice need a BAA?
Whenever a vendor creates, receives, maintains, or transmits PHI for you — and it must be signed before any PHI is shared.
Do I need a BAA with a specialist I refer to?
Generally no — provider-to-provider treatment disclosures aren’t business-associate relationships.
Does a BAA make my practice compliant?
No. It’s required and allocates responsibility, but it doesn’t replace your own safeguards or your duty to vet and monitor the vendor.
Sources
- HHS, Business Associate Contracts, 45 CFR §164.502(e), §164.504(e), and §164.308(b).
- HHS, Definition of “business associate,” 45 CFR §160.103.
- HHS guidance on the conduit exception (e.g., couriers, ISPs).
- HHS, Breach Notification Rule, 45 CFR §§164.400–414.
- ClaimZen, vendor HIPAA checklist.
General information, not legal or compliance advice. HIPAA obligations depend on your organization, your data, and your contracts — consult your privacy/security officer and counsel.
A vendor that signs, and stands behind, the BAA.
ClaimZen operates as a business associate under a signed BAA — with the technical safeguards to back it up.
Get early access