What is the penalty for not having a business associate agreement?

A missing BAA is a HIPAA violation independent of any breach. Raleigh Orthopaedic Clinic paid $750,000 and the Center for Children's Digestive Health paid $31,000 in OCR settlements for failing to execute BAAs.

Does a business associate agreement expire?

BAAs do not expire by statute, but agreements signed before the 2013 Omnibus Rule lack currently required provisions, including subcontractor and breach notification terms, and should be re-papered.

The BAA Inventory Checklist: Account for Every Business Associate Agreement

Q: Do I need a BAA with a cloud provider that only stores encrypted PHI?

Yes. Under HHS cloud computing guidance, a cloud service provider that maintains electronic PHI is a business associate even if it cannot view the data. No-view services still require a business associate agreement.

Q: Do subcontractors of my business associate need their own BAA with me?

No. Your business associate must execute BAAs with its subcontractors under the 2013 Omnibus Rule, creating a chain of contracts. Verify your BAA includes that flow-down obligation.

Most HIPAA enforcement actions involving business associates come down to one document that was never signed. A BAA inventory — a living list of every vendor relationship that touches protected health information, matched to an executed agreement — is the fastest way to find the gap before OCR does. This checklist walks through building one: identifying business associates you may have missed, verifying each agreement contains the provisions 45 CFR § 164.504(e) requires, and keeping the inventory current as vendors change.

Why a BAA inventory (and not just a contracts folder)

A folder proves you signed something; an inventory proves coverage — every PHI-touching relationship mapped to an executed, current BAA.
OCR asks for exactly this in investigations and audits: the list of business associates and the agreements.
Raleigh Orthopaedic Clinic — $750,000 (2016): handed x-ray films containing PHI of roughly 17,300 patients to a vendor without a BAA. Source: HHS.gov bulletin, “$750,000 settlement highlights the need for HIPAA business associate agreements.”
Center for Children’s Digestive Health — $31,000 (2017): used a paper-records storage vendor (FileFax) for years — records of 10,728+ patients — with no written BAA on file. Source: HHS.gov, “No Business Associate Agreement? $31K Mistake.”
Neither case involved a breach by the vendor. The missing agreement itself was the violation.

Step 1 — Identify every business associate (the part everyone gets wrong)

Definition anchor: 45 CFR § 160.103 — a business associate creates, receives, maintains, or transmits PHI on behalf of a covered entity. “Maintains” includes vendors who merely store PHI, even if they never view it.

Commonly missed business associates

EHR-adjacent tools: e-prescribing gateways, patient-intake/forms vendors, appointment-reminder and recall services
IT: managed service providers, cloud hosting/backup, email encryption, fax-over-IP
Billing chain: clearinghouses’ downstream vendors, RCM firms, collections agencies
Physical: shredding companies, offsite records storage, equipment recyclers (the Raleigh Orthopaedic trap)
Practice operations: answering services, transcription, translation services with PHI access
Marketing/analytics tools that touch patient data (web forms, chat widgets, tracking pixels on portal pages)

Who is NOT a business associate

Conduits (USPS, pure ISPs), members of your own workforce, other providers when disclosure is for treatment
Janitorial/maintenance with incidental exposure only

Step 2 — Build the inventory (column-by-column)

Track each vendor relationship in a single living record. At minimum, capture these columns:

Vendor
Service
PHI touched (type / volume)
Business associate or subcontractor?
BAA executed? (date)
BAA version / last reviewed
Required provisions verified?
Termination / return-of-PHI terms
Owner
Next review date

Step 3 — Verify each BAA has the required provisions

Anchor: 45 CFR § 164.504(e) (Privacy Rule) and § 164.314(a) (Security Rule); the obligation to obtain assurances sits at § 164.502(e) and § 164.308(b). Each BAA must:

Establish permitted and required uses and disclosures of PHI
Prohibit use or disclosure beyond the contract or as required by law
Require appropriate safeguards, including Security Rule compliance for ePHI
Require breach and security-incident reporting to the covered entity
Require business associates to flow the same restrictions down to subcontractors (post-2013 Omnibus Rule — subcontractor BAAs are mandatory)
Provide for PHI access, amendment, and accounting-of-disclosures support
Make books and records available to HHS
Require return or destruction of PHI at termination
Authorize termination if the business associate violates a material term

Step 4 — Close the gaps you find

No BAA on file → stop new PHI flows until executed; document the remediation date
Pre-2013 BAA never updated for Omnibus → re-paper it (add subcontractor and breach-notification language)
Vendor refuses to sign → they cannot receive PHI; find an alternative or de-identify the data
Tie each gap into your annual risk analysis — an unmanaged vendor relationship is a findable risk in your HIPAA risk assessment

How often to review the inventory

Quarterly delta review (new vendors, terminated vendors); full re-verification annually, aligned to your security risk analysis
Trigger events: a new EHR module, a new marketing tool, M&A activity, or a vendor breach in the news
Note for 2026: the proposed HIPAA Security Rule update (NPRM) would tighten business-associate verification expectations — see our HIPAA Security Rule 2026 update tracker (proposed, not final — re-verify before relying on it)

Small-practice and vertical notes

Dental, behavioral health, and other small practices are not exempt — CCDH was a single-specialty pediatric group. Vertical guides: dental and FQHCs / community health centers.
Why vendor-inventory tooling belongs in healthcare-specific GRC rather than a generic platform: vertical vs. horizontal GRC.

Frequently asked questions

Do I need a BAA with a cloud provider that only stores encrypted PHI and has no key?
Yes. HHS cloud guidance is explicit — a cloud service provider that maintains ePHI is a business associate even if it cannot view the data (“no-view” services still require a BAA).

Do subcontractors of my business associate need their own BAA with me?
No — your business associate must execute BAAs with its subcontractors (a chain of contracts), but you should verify in your BAA that the flow-down obligation exists.

What’s the penalty for not having a BAA?
It is a violation independent of any breach. Raleigh Orthopaedic paid $750,000; CCDH paid $31,000 — both for the missing agreement itself.

Does a BAA expire?
BAAs don’t expire by statute, but pre-Omnibus (2013) agreements are out of compliance with current required provisions and should be re-papered.

Manage business associate agreements in one place. Medcurity gives healthcare organizations vendor and BAA management — inventory, e-signature, and renewal tracking — alongside the risk analysis it all ties back to. See how it works.