Your vendor had no BAA. Your patients' data was in their system for two years. OCR wants to know why.
Business associates handle PHI on behalf of covered entities - from cloud storage to billing services to IT support. Under HITECH, BAs are directly liable for HIPAA violations. EZBunny's course teaches your team who counts as a BA, what goes into an agreement, and how to manage the chain of trust.
Start 14-day free trialHIPAA requires a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits PHI on your behalf.
Course Details
20 minutes
Privacy
HIPAA / HITECH
Online, self-paced
What your team will learn
- What makes a vendor a business associate under HIPAA
- Who does NOT qualify as a business associate (treatment providers, conduits)
- Required elements of a Business Associate Agreement
- Direct liability for BAs under the HITECH Act
- The subcontractor chain of trust and downstream BAA requirements
- Common BA violations and how to avoid them
- BAA termination procedures and PHI return/destruction requirements
Who needs this training?
Every organization that shares PHI with vendors needs BA awareness training. R = Required by regulation. S = Strongly recommended.
| Practice Type | Status | Authority |
|---|---|---|
| Telehealth Providers | Required | HIPAA (telehealth platforms are often BAs) |
| Physician Practices & Medical Groups | Recommended | HIPAA |
| Dental Offices | Recommended | HIPAA |
| Urgent Care Centers | Recommended | HIPAA |
| Home Health Agencies | Recommended | HIPAA |
| Behavioral Health & SUD Treatment | Recommended | HIPAA |
| Chiropractic Offices | Recommended | HIPAA |
| Physical Therapy & Rehab Clinics | Recommended | HIPAA |
| Ambulatory Surgery Centers (ASCs) | Recommended | HIPAA |
| Pharmacies | Recommended | HIPAA |
| Mental Health Private Practices | Recommended | HIPAA |
| Community Health Centers (FQHCs) | Recommended | HIPAA |
Which roles must complete this training?
Anyone who manages vendor relationships or handles PHI shared with external parties:
- Front Desk / Scheduler: Often the first point of contact for vendor interactions
- IT / EHR Administrator: Manages technology vendors with PHI access
- Practice Manager: Oversees vendor contracts and BAA execution
- Compliance Officer: Monitors BA compliance and BAA inventory
- Billing Staff: Works with billing clearinghouses and third-party payers
BA awareness training should be provided at hire and whenever new vendor relationships are established.
Common Business Associate training questions
What makes someone a business associate?
A BA is any person or entity that performs functions involving the use or disclosure of PHI on behalf of a covered entity. Common examples include EHR vendors, cloud storage providers, billing companies, IT consultants, shredding services, and answering services. The key factor is whether the vendor creates, receives, maintains, or transmits PHI as part of their service.
What must a Business Associate Agreement include?
A BAA must specify permitted uses/disclosures of PHI, require appropriate safeguards, require reporting of breaches and security incidents, ensure subcontractors agree to the same restrictions, and provide for return or destruction of PHI upon termination. Both the covered entity and business associate should review the agreement to ensure all required elements are present before any PHI is shared.
Are business associates directly liable for HIPAA violations?
Yes. Since the HITECH Act, BAs are directly subject to HIPAA Security Rule requirements and can face OCR enforcement actions and civil monetary penalties independently of the covered entity. This means BAs must implement their own safeguards, conduct risk assessments, and maintain compliance programs - they cannot rely solely on the covered entity's compliance.
What happens if we don't have a BAA with a vendor handling PHI?
Operating without a BAA when one is required is itself a HIPAA violation. Both the covered entity and the BA can face enforcement. If a breach occurs, the lack of a BAA significantly increases liability and penalties. OCR has issued settlements specifically for failure to obtain BAAs from vendors handling PHI.
Make sure your team knows who your business associates are - and what's required
20 minutes per person. Certificate on completion. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.