A Business Associate Agreement (BAA) is the contract HIPAA requires between your practice and any outside company that can create, receive, store, or transmit your patients' protected health information. Your IT provider is one of those companies — which means if they won't sign a BAA, they're a liability you're carrying without knowing it.

The two roles HIPAA cares about

Your dental practice is a covered entity — you provide care and handle patient health information directly. Any vendor you bring in who can touch that information on your behalf is a business associate. When a covered entity hands ePHI (or access to it) to a business associate, HIPAA requires a written contract governing how that data is protected. That contract is the BAA.

Is my IT company really a "business associate"?

Almost always, yes. If your IT provider can remote into the front-desk computer, administer the server where charts live, manage your backups, or access your email — they can reach protected health information. That access makes them a business associate whether or not they ever open a single patient record. The Department of Health and Human Services has been explicit that IT and data-services vendors with access to ePHI fall in scope.

The test isn't "do they look at patient data?" It's "could they?" Access is the trigger.

What a BAA actually requires of them

A proper BAA commits your vendor to, among other things:

  • Safeguard your ePHI with appropriate administrative, physical, and technical controls.
  • Use and disclose it only as the agreement and the law permit.
  • Report security incidents and breaches to you — promptly.
  • Make sure their own subcontractors are bound by the same terms.
  • Return or destroy your data when the relationship ends.

In other words, it puts your vendor on the hook in writing for protecting your patients' data — and gives you a paper trail proving you did your due diligence.

Why "the computer guy" without a BAA is a real risk

Plenty of small practices rely on a local generalist, a friend-of-a-friend, or a national break-fix shop that has never heard the phrase. If that vendor can reach your systems and there's no BAA, two things are true at once: you're out of compliance, and after an incident there's no contract holding them responsible. You absorb the whole exposure.

When the HHS Office for Civil Rights reviews a practice, missing BAAs are a routine finding — and they're entirely avoidable.

What to do this week

  1. List every vendor who can reach your systems or data: IT support, your practice-management/cloud software, your email host, your backup service, even your copier-lease company if the machine stores images.
  2. For each, confirm you have a signed BAA on file.
  3. Anywhere the answer is "no" or "not sure," fix it — get the BAA signed or replace the vendor.
Where Sentoria fits: we sign a BAA on day one — being your business associate, and acting like one, is the baseline, not an add-on. If a prospective IT partner hesitates when you ask for a BAA, that hesitation is your answer.