A Business Associate Agreement is a legally required contract between a dental practice and any vendor that creates, receives, stores, or transmits protected health information on the practice’s behalf. It is a HIPAA requirement, not a best practice. Dental practices that use vendors without signed BAAs are non-compliant from the moment they start using that service.
Here is what a BAA actually is, who needs to sign one, and what the consequences are for practices that skip them.
What Makes This Different From Other Compliance Requirements
Using any vendor that handles patient data without a signed BAA is a HIPAA violation regardless of whether a breach occurs.
The violation is the absence of the agreement, not the exposure of data. OCR has levied fines against dental practices specifically for missing BAAs discovered during routine complaint investigations that had nothing to do with a breach.
Not sure which of your vendors need a signed BAA? Find out in 15 minutes if we are the right fit.
A BAA defines the responsibilities of each party for protecting patient data. It is a contract between the dental practice and the vendor, not a certification or a form.
The vendor (Business Associate) agrees to:Vendor obligations
Use patient data only for the purposes defined in the agreement. Implement safeguards to protect it. Report any breaches to your practice. Return or destroy the data when the relationship ends.
The practice (Covered Entity) agrees to:Practice obligations
Provide data only in the ways defined in the agreement. Notify the vendor of any restrictions on how patient data may be used. Not request the vendor to use patient data in ways that would violate HIPAA.
BAA Vendor Coverage Tracker
Check each vendor category where a signed BAA is on file. Every unchecked vendor category that handles patient data is an active HIPAA compliance gap.
BAAs on file
0 / 8
Who Does Not Need a BAA
Dental supply company: They deliver supplies but do not access patient records or systems.
Landlord: Building access does not involve patient data unless they provide services that touch clinical systems.
Marketing or SEO agency: Unless they have access to patient contact information or health data, marketing vendors are not Business Associates.
How to Get a BAA Signed
Ask before using the service, not after. Most healthcare-focused vendors have a standard BAA ready to sign as part of their onboarding process. Some make BAAs available through their website or support portal. Others require a direct request to their sales or legal team.
Keep signed BAAs in a centralized file accessible to your HIPAA Privacy Officer. OCR may request them during an audit or investigation. Practices that cannot produce signed BAAs for current vendors in active use have an immediate compliance gap.
Do not assume a vendor is HIPAA compliant because they serve dental practices. Confirm a signed BAA exists before using any service that touches patient data, regardless of how many other practices use that vendor.
Frequently Asked Questions
Using a vendor without a signed BAA is a HIPAA violation. If OCR investigates your practice for any reason and discovers unsigned or missing BAAs, the practice is subject to corrective action and potentially financial penalties. The penalty is assessed based on the fact of non-compliance, not on whether patient data was actually mishandled.
Yes. Your IT managed services provider accesses your systems, which contain patient data. They are a Business Associate under HIPAA and must sign a BAA before providing services. A dental IT provider who refuses to sign a BAA or claims one is not necessary does not understand HIPAA requirements and should not be providing IT services to healthcare practices.
HIPAA requires that compliance documentation including BAAs be retained for six years from the date of creation or the date it was last in effect, whichever is later. When you terminate a vendor relationship, keep the BAA on file for the full six-year retention period from the termination date.
A BAA itself does not have a standard expiration date. However, BAAs may become outdated if the services provided change significantly, if the vendor is acquired, or if HIPAA regulations change in ways that require updated agreement language. Review BAAs with key vendors at least every two to three years and update them when the underlying service relationship changes materially.
Not sure if every vendor your practice uses has a signed BAA on file or if some are operating without one?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Every Ekim engagement includes a signed BAA and we help practices identify which other vendors in their stack require one so no relationship stays uncovered.
One vendor without a signed BAA is enough to put your practice out of compliance. Find out if your stack has any gaps.
Ezra Angelo
