Business Associate Agreements for dental practices, explained

What a BAA is, when you legally need one, what it must contain, and the everyday places a dental practice gets exposed without one.

By ClaimZen · Updated July 2026 · ~6 min read

A Business Associate Agreement (BAA) is the contract HIPAA requires between a covered entity (your practice) and any vendor that handles PHI on your behalf. It’s not optional and it’s not boilerplate you can skip: without it, sharing PHI with that vendor is itself a HIPAA violation.

Who is a business associate?

A business associate is anyone who creates, receives, maintains, or transmits PHI to perform a service for you. In a dental practice that typically includes:

Some relationships are not business-associate relationships: another provider you refer a patient to for treatment, or a true “conduit” that only transports data without accessing it (the postal service, an ISP). When in doubt, assume a BAA is needed and confirm.

What a BAA must contain

Under 45 CFR §164.504(e), a compliant BAA has to, among other things:

The subcontractor chain

Your vendor’s vendors matter. A business associate must have its own BAAs with the subcontractors it uses to handle your PHI — a cloud host, an email provider, an AI API. Exposure flows down the chain, which is why “who are your subprocessors?” belongs on your vendor checklist.

Where dental practices get exposed

Vendor / situationBAA needed?Notes
Billing / RCM serviceYesHandles PHI directly on your behalf.
Practice-management / cloud PMSYesStores PHI; the host is a subcontractor.
Email or texting PHIYesOnly via a provider that will sign a BAA — most consumer email/SMS won’t.
IT / MSP with system accessYesAccess to PHI triggers the requirement.
Referral to another providerNoTreatment disclosure, not a BA relationship.
Postal service / ISP conduitNoTransports without accessing content.

The most common failures are simple: no BAA on file, a “handshake” instead of a signed one, PHI emailed or texted through a provider that never signed, and no inventory of which vendors actually hold PHI.

Any vendor that touches your PHI — ClaimZen included — must operate under a signed BAA before a single record is shared. The difference worth vetting is whether the technical safeguards behind that BAA are real: see HIPAA compliance by design.

Frequently asked questions

When does a dental practice need a BAA?

Whenever a vendor creates, receives, maintains, or transmits PHI for you — and it must be signed before any PHI is shared.

Do I need a BAA with a specialist I refer to?

Generally no — provider-to-provider treatment disclosures aren’t business-associate relationships.

Does a BAA make my practice compliant?

No. It’s required and allocates responsibility, but it doesn’t replace your own safeguards or your duty to vet and monitor the vendor.

Sources

  1. HHS, Business Associate Contracts, 45 CFR §164.502(e), §164.504(e), and §164.308(b).
  2. HHS, Definition of “business associate,” 45 CFR §160.103.
  3. HHS guidance on the conduit exception (e.g., couriers, ISPs).
  4. HHS, Breach Notification Rule, 45 CFR §§164.400–414.
  5. ClaimZen, vendor HIPAA checklist.

General information, not legal or compliance advice. HIPAA obligations depend on your organization, your data, and your contracts — consult your privacy/security officer and counsel.

A vendor that signs, and stands behind, the BAA.

ClaimZen operates as a business associate under a signed BAA — with the technical safeguards to back it up.

Get early access