Does my dental IT company need a BAA even if they never view records?

Yes. The trigger is the ability to access protected health information, not whether the vendor actually reads it. Your IT provider can reach the server, database, email, and backups, so HIPAA expects a signed BAA before they do that work - regardless of whether they ever open a patient chart.

What is a Business Associate Agreement — and does your IT company have one?

Q: What is a Business Associate Agreement?

A BAA is a HIPAA-required contract between your dental practice and any vendor that creates, receives, maintains, or transmits protected health information on your behalf. It defines how the vendor safeguards PHI, what they may do with it, breach-notification duties, and what happens to the data when the relationship ends.

Q: What happens if I do not have a BAA with a vendor?

You have a compliance gap and a liability gap. If a breach involves a vendor and no BAA is in place, the practice can be held responsible for the missing agreement on top of the breach. It is one of the most common and most avoidable HIPAA findings for small dental practices.

6 min read · Published 2026-06-29 

baahipaacompliancevendordental it

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA-required contract between a covered entity (your dental practice) and a business associate - any vendor that creates, receives, maintains, or transmits protected health information (PHI) on your behalf. It sets out how the vendor will safeguard PHI, what they may do with it, breach-notification duties, and what happens to the data when the relationship ends. In plain terms: if a vendor can touch your patient data, HIPAA expects a BAA in place before they do. (General information, not legal advice.)

Does your IT company need a BAA?

Almost always, yes. Your IT provider can reach the server, the practice-management database, email, and backups - all of which hold or can expose PHI. That makes them a business associate, and a signed BAA is expected even if they "never look at patient records." The ability to access PHI is what triggers the requirement, not whether they actually read it. (See the vendor BAA gap.)

What a BAA typically covers

The permitted uses and disclosures of PHI by the vendor.
The safeguards the vendor must maintain to protect PHI.
Breach notification - if the vendor has an incident, how and when they tell you.
Subcontractor obligations - the vendor's own vendors must be covered too.
Return or destruction of PHI when the agreement ends.

What happens without one

Without a BAA, you have both a compliance gap and a liability gap. If a breach involves a vendor and no BAA exists, the practice can be held responsible for the missing agreement on top of the breach itself. It is one of the most common - and most avoidable - HIPAA findings for small practices.

How to get it right

Inventory your vendors. List everyone who can access PHI: IT, PMS, imaging, email/cloud, billing, shredding.
Get a signed BAA with each - current, not a decade-old copy.
Keep copies where you can produce them; an agreement you cannot find is hard to rely on.
Expect BAA-by-default. A dental-fluent IT provider signs one as a matter of course, not as an upsell. (See Security & Compliance.)

This is general information about Business Associate Agreements, not legal advice. A qualified compliance professional or attorney can advise on your specific agreements and obligations.