We see two extremes in Florida medical and dental practices. The first is the practice that signs every Business Associate Agreement (BAA) a vendor pushes at them — including the cleaning service, the office snack supplier, and the printer leasing company — on the theory that more is better. The second is the practice that has signed none because nobody was sure when one was actually required. Both extremes create real audit risk. This post is the decision tree we use with clients in Ocala, The Villages, Gainesville, and across North Central Florida to figure out which vendors actually need a BAA under HIPAA.
$100K+
Median OCR settlement for missing BAAs
#1
Most common HIPAA paperwork failure
6 YRS
BAA retention required after termination
0
Verbal BAAs accepted by OCR
What HIPAA Actually Says About Business Associates
The HIPAA Privacy Rule at 45 CFR 160.103 defines a business associate as a person or entity that — on behalf of a covered entity — performs a function or activity involving the use or disclosure of protected health information (PHI). The Omnibus Rule of 2013 extended that definition to anyone who creates, receives, maintains, or transmits PHI in the course of doing work for you, including subcontractors of business associates.
If a vendor meets that definition, you are required under 45 CFR 164.504(e) to have a written, signed BAA in place before the vendor touches PHI. Not after the breach. Not at the next renewal. Before.
// The Test
Does the vendor — in the course of doing their job for you — create, receive, maintain, or transmit PHI? If yes, you need a BAA. If no, you do not. The vendor's industry, size, or marketing claims are not the test.
Vendors That Always Need a BAA
EHR / Practice Management Software
Open Dental, Dentrix, eClinicalWorks, Athenahealth, Kareo, DrChrono, NextGen, Eaglesoft, and every cloud EHR. PHI is the entire product.
IT Managed Service Providers (MSPs)
Simply IT is a business associate. Any MSP with administrator credentials to your workstations, servers, network, or cloud tenants can access PHI by design and must sign a BAA.
HIPAA-Aligned Email Providers
Microsoft 365 (under the standard Online Services Terms HIPAA BAA), Google Workspace (under the Workspace BAA), Paubox, and any encrypted email gateway.
Cloud Backup & Storage of PHI
Datto, Veeam Cloud Connect, Acronis, Microsoft Azure, AWS, Google Cloud, Dropbox Business with HIPAA, Box for Healthcare — if PHI lives in the backup, a BAA is required.
Secure Patient Messaging & Telehealth
Doxy.me, Updox, Klara, OhMD, SimplePractice telehealth, Spruce Health, and any HIPAA-aligned messaging or video tool. Standard Zoom or FaceTime does not qualify.
Medical Billing & RCM Services
Outsourced billing, coding, claims-processing, or revenue-cycle-management firms. They handle claims data and patient demographics every day.
Shredding & Records Destruction Vendors
Any vendor that picks up paper charts, hard drives, or storage media. The PHI does not stop being PHI in the bin.
Transcription, Coding, & Scribing Services
Including AI-driven medical scribes (Abridge, Nuance DAX, Suki, DeepScribe) that ingest patient encounters.
Vendors That Do Not Need a BAA
HHS has been explicit on this in guidance and enforcement examples. The following vendors are typically not business associates because they do not create, receive, maintain, or transmit PHI as part of their service to you:
Janitorial / Cleaning Services
Cleaning the lobby does not give them PHI. Even if a chart is left on a desk, incidental exposure is not 'use or disclosure' under HIPAA.
Building Maintenance, HVAC, Plumbing
Trade contractors who service the physical building. No PHI access in the course of the work.
Couriers Acting as Conduits
FedEx, UPS, USPS, and the postman are explicitly classified as 'conduits' under the Omnibus Rule and do not need BAAs — even when carrying sealed envelopes of PHI.
Internet Service Providers (Conduit-Only)
Spectrum, AT&T, Cox, and other ISPs that only carry encrypted traffic without storing or processing it are conduits, not business associates.
Office Supply & Snack Vendors
Staples, Amazon Business, the coffee service. No PHI in the course of doing business.
Software Vendors With No PHI Access
Your QuickBooks Online subscription, your appointment-reminder service that ONLY uses phone numbers and first names, your CRM if it stores no clinical data.
General Liability or Property Insurance Brokers
Unless they are handling claims that include PHI, a property/casualty broker is not a business associate.
The Gray Area — Ask Before You Sign
A few vendor types sit in a gray area where the answer depends on the specific service configuration. For each one, the deciding question is the same: does the vendor in this engagement create, receive, maintain, or transmit PHI?
Appointment-Reminder Services
If reminders include only a first name and a date/time, often not. If they include the procedure, provider name, or condition, yes.
Answering Services & Virtual Receptionists
If they take messages including symptoms, conditions, or treatment requests, yes. If they only forward callbacks with name and number, often not.
Marketing Agencies
If they only handle your website, branding, and ad creative with no patient data, no. If they run patient-recall campaigns or have access to patient lists, yes.
Copier & Print Vendors
Modern copiers store hard-drive images of every scan. If your copier scans patient charts and the vendor has remote access for diagnostics, you need a BAA — or a contractual hard-drive wipe at end of lease.
Phone System Providers
Standard PBX with no recording? Usually conduit. Cloud VoIP with call recording or voicemail-to-email of clinical messages? BAA required.
What a Real BAA Has to Include
Not every document labeled "BAA" passes. The Privacy Rule at 45 CFR 164.504(e)(2) specifies the required terms. Any BAA you sign should contain all of the following:
Defines permitted and required uses and disclosures of PHI
Prohibits uses or disclosures beyond what the contract or law allows
Requires the business associate to report any breach or security incident
Binds subcontractors to the same restrictions (downstream BAAs)
Provides for individual access, amendment, and accounting of disclosures
Requires return or destruction of PHI at contract termination
Authorizes the covered entity to terminate for material breach
The Three BAA Mistakes We See Most Often
01
No BAA Inventory
Practices have a stack of signed BAAs in a binder — but no list of which vendors they were supposed to sign with. The right starting point is the vendor inventory, not the binder.
02
Vendor-Drafted BAAs With Loopholes
Many vendor-provided BAAs cap their liability at 'amounts paid in the prior 12 months' and exclude indirect or consequential damages. In a six-figure breach you bear the loss. Read the limitation-of-liability section every time.
03
Microsoft 365 / Google Workspace Without Activating the BAA
Both have a standard HIPAA BAA available — but only in business and enterprise tiers, and only after you accept it inside the admin console. Consumer Gmail and Microsoft 365 Family do not qualify, no matter who manages them.
Audit-Ready BAA Inventory — What OCR Will Ask For
In an audit OCR will typically request your vendor inventory and the corresponding BAA for each one. Keep the inventory in a single spreadsheet (or in your compliance platform) with these columns:
"The single fastest way to fail an OCR audit is to be unable to produce a vendor inventory. Not the BAA itself — the inventory. Once you have the inventory, the BAAs follow."
Steve Condit, Simply IT
How Simply IT Handles BAAs for Florida Practices
For every medical and dental client in North Central Florida we maintain a living BAA inventory tied to the vendor catalog — we own the IT vendor side (Microsoft 365, our managed IT platform, our backup vendor, our security stack, our remote-access tooling) and we help the practice walk the rest. We do not draft legal documents; we work alongside your healthcare attorney on the language. What we do is make sure no BAA-required vendor is missing from your inventory and that none of the BAAs you have on file have quietly lapsed or been superseded.
// Key Takeaway
If a vendor creates, receives, maintains, or transmits PHI on your behalf, you need a written BAA before they touch the data. If they do not touch PHI, you do not. The work is not signing more agreements — it is building the vendor inventory and matching each row to the right answer.
Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience
Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.
