Does Your Dental Practice Need a BAA, and With Which Vendors? (2026)

Before you go vendor by vendor, it helps to see where your practice actually stands. The free HIPAA Scorecard checks your BAAs and the other controls an auditor looks at first, then scores your practice out of 100. About three minutes. Check my practice →

What a BAA is, and what HIPAA actually requires

A business associate agreement, or BAA, is a written contract between your practice and any outside company that handles protected health information on your behalf. HIPAA calls that company a business associate (45 CFR § 160.103). The rule is blunt about the order of operations: you may disclose patient data to a business associate only after it gives you satisfactory assurances, in writing, that it will protect the data (45 CFR § 164.502(e)).

The Security Rule says the same thing for electronic records, in its own words. A covered practice may let a vendor create, receive, maintain, or transmit electronic patient information only after obtaining written assurances that the vendor will safeguard it (45 CFR § 164.308(b)). Those assurances have required contents: the vendor must agree to follow the Security Rule, to report security incidents and breaches back to you, and to bind its own subcontractors to the same terms (45 CFR § 164.314(a)).

Under HIPAA, you may hand patient data to an outside company only after it signs an agreement promising, in writing, to protect it. No agreement, no data.

That last line is not a slogan. It is the part Raleigh Orthopaedic missed, and it is the part a checklist alone will not catch.

Which of your vendors need a BAA?

Start with one question for each vendor: does this company create, receive, store, or transmit our patients' information to do its job? If the answer is yes, it is almost certainly a business associate, and it needs a BAA. That phrase covers far more than the companies that obviously look at patient charts.

Industry compliance guides put a typical dental office at eight to fifteen business associates, and some practices have more than twenty. Here is how the common dental-office vendors usually fall. Treat it as a starting map, not a substitute for checking each contract.

• Practice-management and imaging software (PMS, EHR, the cloud platform behind your charts and x-rays): Yes. It stores your entire patient database. Cloud-based vendors almost always have a BAA ready on request.
• Billing service or claims clearinghouse: Yes. It transmits claims containing patient data to payers on your behalf.
• IT support or managed-services provider (MSP): Almost always yes. If the company can reach the systems that hold patient data, even only to fix them, it is a business associate. This is the vendor practices most often forget.
• Cloud storage and backup: Yes. A service that stores electronic patient data is a business associate even when the data is encrypted and the vendor never views it.
• Email, secure messaging, and file-sharing: It depends. If the service stores or routes patient data through its own systems, such as emailing an x-ray to a specialist, the provider needs a BAA. A pure transmission line, like your phone carrier or internet provider, does not.
• Records, film, and hard-drive disposal (shredding and e-waste): Yes, when the vendor handles media that still contains patient data. Raleigh's vendor was, in effect, a film-recycling service.
• Answering service, virtual reception, and scheduling: Yes, if the staff or software can see patient names, numbers, or appointment details.
• AI tools (scribes, chatbots, imaging assistants): Yes, on the same terms as any other vendor. Whether ChatGPT is HIPAA compliant in a dental practice, and how to run the five-question BAA test on an AI scribe, are their own questions.

The one real exception is narrow. A vendor that only carries data from one point to another without storing it, a true conduit such as the postal service or an internet provider, is not a business associate. OCR draws the line at whether the company maintains or can access the data, not at whether anyone there looks. That is why cloud storage and most email services are business associates and the phone company is not. When in doubt, treat the vendor as one and ask for the agreement.

A few relationships do not need a BAA, and they trip people up. You do not sign one with another healthcare provider you share records with for a patient's treatment. That is why a dental lab you send impressions or images to for a case does not need one: under HIPAA's treatment exception, HHS and the ADA treat the lab as another health care provider, not your business associate. You also do not sign one with your own staff, who are workforce members rather than vendors. The treatment exception is narrow, though: if that lab or another provider does a non-treatment job for you, such as billing or records review, the BAA requirement comes back.

What one missing BAA can cost

The risk is not theoretical, and it is not only historical. In 2025, an attacker reached roughly 1.2 million patient records at Absolute Dental, a Nevada dental group, through a single compromised account belonging to its outside IT vendor. The practice agreed to a $3.3 million class-action settlement, with a final approval hearing set for July 2026. A BAA would not have stopped that intrusion by itself, but the case is a plain lesson in why the contract matters: your vendor's access to your systems is your attack surface, and the BAA is where you pin down what that vendor must do to protect it.

Skipping the agreement is its own, separately punishable failure. Raleigh Orthopaedic Clinic reported a breach to the federal government in 2013, after it gave a vendor the X-ray films and records of 17,300 patients so the films could be digitized and the silver recovered. The arrangement was made over the phone, with no BAA. OCR's investigation did not turn on the recycling. It turned on the missing contract. The clinic paid $750,000 and accepted a corrective action plan that, among other things, required it to name one person responsible for getting a BAA from every vendor before any data is shared.

If a vendor breach does reach your patients, responding to a dental data breach is a separate process with its own deadlines. The cheaper path is to close the gap before anything goes wrong.

Most practices have at least one vendor touching patient data without a signed BAA, and it is the kind of gap that is hard to see from inside the office. The free HIPAA Scorecard checks for it, and for the other controls OCR looks at first, in about three minutes. Check my practice →

How to get a BAA from a vendor

None of this needs a lawyer for the routine cases. It needs a list and a few emails.

Keeping track of which vendors have a signed BAA is also part of a real HIPAA risk analysis, the document the same enforcement office checks first. The two go together: the risk analysis is where you notice the gap, and the BAA is how you close it.

Not sure which of your vendors are missing one? The Scorecard runs through the controls an auditor checks first, including signed BAAs, and scores where your practice stands. Check my practice →

When a vendor will not sign, and other edge cases

A few situations come up often enough to plan for.

• The vendor refuses, or will only sign on a tier you cannot afford: Then you cannot use it for anything involving patient data. No privacy setting or paid add-on substitutes for the contract; find a vendor that will sign.
• "We will send you our BAA": That is normal and fine. Read it anyway. The vendor's version still has to meet the required contents, and some are written to protect the vendor more than your patients.
• Subcontractors behind your vendor: You do not sign with them directly. Your vendor is responsible for binding its own subcontractors, such as the data center behind your cloud software, to the same terms (45 CFR § 164.308(b)). The chain has to hold the whole way down.
• Agencies you are required to report to: Sharing data because the law requires it, such as a report to a state board, is not a business-associate relationship and does not need a BAA.

One change is on the horizon. A proposed overhaul of the HIPAA Security Rule, published in January 2025, would add a step to all of this: practices would have to obtain written verification from each vendor that it has actually deployed the required technical safeguards, refreshed every year. As of June 2026 it is still a proposal, not law. Build your vendor list against today's rules, date it, and expect the bar to rise.

This is general information, not legal advice. Whether a particular vendor counts as a business associate can depend on the specific facts of the arrangement. When a relationship is unclear, confirm it against current HHS guidance or with qualified counsel before you share patient data.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. If a line can't be sourced, it doesn't run. More about Hipsana →

Sources

• HHS Office for Civil Rights, "$750,000 settlement highlights the need for HIPAA business associate agreements," resolution agreement with Raleigh Orthopaedic Clinic, P.A. (2016).
• HHS Office for Civil Rights, "Guidance on HIPAA & Cloud Computing" (a cloud or transmission vendor that maintains protected health information is a business associate, encrypted or not).
• HHS Office for Civil Rights, sample business associate agreement provisions (accessed June 2026).
• American Dental Association, FAQs on HIPAA business associates (a dental lab is a healthcare provider; no BAA is needed to share PHI for treatment).
• Jordan v. Absolute Dental Group, LLC, No. 2:25-cv-00986 (D. Nev.); $3.3 million proposed class-action settlement over a 2025 vendor-account breach; final approval hearing July 30, 2026.
• 45 CFR § 160.103; § 164.502(e); § 164.504(e); § 164.308(b); § 164.314(a) (eCFR, current).
• Federal Register, HIPAA Security Rule NPRM, January 6, 2025 (RIN 0945-AA22).