...

Ekim IT Solutions

Schedule a Fit Call
Blog / What Is a Business Associate Agreement in Dentistry
All Dental

What Is a Business Associate Agreement in Dentistry

Featured image for the Business Associate Agreement explainer blog post showing two hands in a handshake over a document icon on a dark background representing a guide to what a HIPAA Business Associate Agreement is and which dental vendors are required to sign one

If any vendor, contractor, or service provider has access to your patient data, HIPAA requires a signed agreement between your practice and that vendor. That agreement is called a Business Associate Agreement, or BAA. Without it, both parties are out of compliance, and your practice bears the legal exposure.

Most dental practices have at least a few vendors who access patient data without a signed BAA in place. Understanding what a BAA is, who qualifies as a business associate, and what the agreement covers helps close that gap before an OCR investigation finds it first.

Red callout box stating that missing Business Associate Agreements are one of the most common findings in OCR HIPAA investigations, warning that a practice can have excellent technical security and still face significant fines if vendors with access to patient data have not signed BAAs because the agreement is a legal requirement not optional paperwork

What a Business Associate Is

A business associate is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of protected health information. The business associate does not have to be in healthcare. They simply need to have access to your patient data to do their job.

In a dental practice, business associates commonly include IT providers, billing services, cloud backup providers, practice management software companies, imaging software vendors, document storage services, collection agencies, and shredding services. Each one of these relationships requires a signed BAA before PHI is shared.

What a BAA Actually Says

A Business Associate Agreement is a contract that obligates the vendor to protect the PHI they access. At minimum, a compliant BAA must address the following.

Permitted uses and disclosures

The BAA defines exactly what the business associate is allowed to do with your patient data. They can use it only for the purposes defined in the agreement, which should match the services they are providing to your practice.

Safeguards

The agreement requires the business associate to implement appropriate safeguards to protect PHI. For ePHI, this means the technical controls required by the HIPAA Security Rule.

Breach notification

The BAA must require the business associate to notify your practice of any breach or suspected breach of PHI within 60 days of discovering it. This is what triggers your own breach notification obligations to patients and HHS.

Return or destruction of PHI

When the business relationship ends, the BAA must address what happens to the PHI the vendor holds. It is either returned to your practice or destroyed, with written confirmation.

Blue callout box listing four dental vendors that must sign a BAA: the IT provider whose remote system access means potential access to patient records and backups, the billing or insurance service whose claims and financial records are connected to patient identities, the cloud backup provider where patient data is stored in their infrastructure, and PMS and imaging vendors through whose systems patient records and imaging data live or pass

Who Does NOT Need a BAA

Not every vendor requires a BAA. The ADA notes that dental laboratories generally fall under HIPAA’s definition of healthcare provider and do not require a BAA for disclosures related to patient treatment. Your internet service provider typically does not require one because they transmit data but do not access the content. Staff members, including employees and contractors who work under your direct supervision, are not business associates and do not require BAAs.

When in doubt, ask whether the vendor could access patient information in the course of providing their service. If the answer is yes, a BAA is required.

What Happens Without a BAA

Operating without a required BAA is a HIPAA violation. If OCR investigates and finds that vendors with access to your patient data have not signed BAAs, your practice faces penalties for each missing agreement. If one of those vendors experiences a breach, your practice is still responsible for notifying affected patients because the data was yours and you failed to establish proper contractual protections.

The vendor’s liability does not eliminate yours. HIPAA holds covered entities responsible for the safeguards in place around their patient data, including the agreements they require from the vendors they work with.

Frequently Asked Questions

Can I use a template BAA?

Yes. HHS provides sample BAA language on their website. Many vendors also have standard BAA templates they use with all healthcare clients. The important thing is that the agreement is signed by both parties and contains the required elements. A template that meets HIPAA requirements is legally sufficient.

What if a vendor refuses to sign a BAA?

A vendor who refuses to sign a BAA cannot legally handle your patient data. You have two options: find a different vendor who will sign one, or restructure the relationship so the vendor never has access to PHI. Continuing to use a vendor who has access to PHI without a signed BAA is a HIPAA violation.

How often do BAAs need to be updated?

BAAs should be reviewed whenever the nature of the vendor relationship changes significantly. The 2013 HIPAA Omnibus Rule expanded business associate liability and many older BAAs do not reflect the current requirements. Any BAA signed before 2013 should be updated.

Does Ekim provide a BAA to dental practices?

Yes. A signed Business Associate Agreement is a standard part of every Ekim IT Solutions client relationship. We provide BAAs to all dental practices we serve, including those we support remotely across all 50 states and those we serve on-site in New England and New York.

Do you have signed BAAs with all your vendors?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

author avatar
Ezra Angelo
See Full Bio

Related Posts

Featured image for the blog post on identifying underperforming dental IT providers, showing a dental IT gear icon with a red X and warning symbols representing the signs that your current dental IT provider is falling short of what your practice needs
All Dental

Signs Your Dental IT Provider Is Not Good Enough

All Dental

Dental Software Hardware Requirements: 2026 Guide

Weave logo next to a question mark on a dark background representing the Weave system requirements guide for dental practices in 2026
All Dental

Weave System Requirements for Dental Practices in 2026