Business Associate Agreements: The #1 HIPAA Violation in Dental Practices

What Is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legally required contract between a dental practice (Covered Entity) and any third party (Business Associate) who creates, receives, maintains, or transmits Protected Health Information (PHI) on the practice's behalf.

The BAA defines how the Business Associate must protect PHI, what they must do if a breach occurs, and what happens to PHI when the relationship ends. Without a signed BAA, every piece of patient data your vendor touches is considered an unauthorized disclosure — a HIPAA violation.

This isn't optional. It's not a best practice. It's a federal legal requirement under 45 CFR § 164.308(b) and 45 CFR § 164.314(a).

Which Vendors Require a BAA? The Complete Dental Practice List

This is where most practices get surprised. The list of vendors requiring a BAA is much longer than most dentists realize:

• Billing & Insurance: Billing companies, clearinghouses, insurance verification services, revenue cycle management platforms, credentialing services
• Technology & Software: Dental practice management software (Dentrix, Eaglesoft, Curve, etc.), EHR/EMR platforms, cloud storage providers (Dropbox, Google Drive, OneDrive used for patient data), email platforms (if used for patient communication), patient portal software, scheduling platforms
• Clinical Services: Dental labs (if they receive digital impressions with patient info), CBCT imaging centers, pathology labs, specialist referral platforms
• IT & Infrastructure: IT managed services providers, help desk services, backup and disaster recovery vendors, cybersecurity firms with access to your systems, shredding and document destruction services
• Communication & Marketing: Patient reminder services (calls, texts, emails), recall systems, patient satisfaction survey platforms, telehealth platforms
• Staffing & HR: Dental billing services, medical VA companies, temporary staffing agencies who place workers with patient data access, HR platforms storing employee health information
• Finance: Dental financing companies (CareCredit, Proceed Finance, etc.) who receive patient financial information tied to treatment plans, collection agencies

What Makes a BAA Valid in 2026?

Not all BAAs are created equal. OCR has disqualified BAAs during audits for being incomplete, outdated, or failing to address current requirements. A valid 2026-compliant BAA must include:

• Permitted uses and disclosures of PHI by the Business Associate
• Prohibition on using or disclosing PHI beyond permitted uses
• Appropriate safeguards to prevent unauthorized disclosure
• Obligation to report breaches within 60 days (updated 2026 timeline)
• Requirement to ensure any subcontractors also sign BAAs
• Return or destruction of PHI upon contract termination
• Explicit reference to HITECH Act requirements
• Specific mention of encryption and MFA obligations (new 2026 requirement)
• Signed by an authorized representative of the Business Associate

The Most Common BAA Mistakes That Get Practices Fined

These are the BAA errors that appear most frequently in OCR audit findings against dental practices:

• Using the vendor's template without review: Many vendors provide a BAA template that protects the vendor, not your practice. Always have a qualified HIPAA advisor review before signing.
• Pre-2013 BAAs still in use: The HITECH Act in 2013 significantly changed BAA requirements. Any BAA signed before 2013 is automatically non-compliant. Many practices are still using them.
• No BAA with IT providers: IT companies are almost always Business Associates — they have access to every system in your office. Yet many dental practices have never asked their IT company for a BAA.
• Missing subcontractor BAAs: If your billing company uses a clearinghouse, that clearinghouse must also have a BAA with them. You're responsible for ensuring this chain exists.
• No BAA log or tracking system: Practices that can't produce a BAA on demand during an audit are treated as if they don't have one — even if they do. Organization matters.

What Happens When You're Caught Without a BAA

OCR's fine structure for missing BAAs is steep — and it scales with the number of affected patients and the practice's prior compliance history.

Tier 1 (Reasonable Cause, not willful neglect): $100–$50,000 per violation. Tier 2 (Reasonable Cause with some willful neglect): $1,000–$50,000 per violation. Tier 3 (Willful Neglect, corrected): $10,000–$50,000 per violation. Tier 4 (Willful Neglect, not corrected): $50,000 per violation.

The key word is 'per violation.' If you've been processing claims without a BAA for 24 months and you have 800 active patients, OCR may assess the fine per patient, per month — which can result in multimillion-dollar exposure even for small practices.

In 2024, a small dental practice in Texas was fined $80,000 for using a billing clearinghouse for 18 months without a BAA. The owner described it as 'a form I just never got around to.' The OCR investigator described it as a Tier 3 violation with evidence of willful neglect.

How to Audit Your BAAs This Week

You don't need a compliance consultant to do a basic BAA audit. Here's the four-step process:

• Step 1: List every vendor who has access to patient data, including software platforms, IT services, billing services, and clinical partners.
• Step 2: Check your files for a signed BAA for each vendor. A BAA is not a privacy policy, a service agreement, or a click-through checkbox. It's a standalone, signed agreement.
• Step 3: For BAAs you find, check the date. Anything signed before 2013 needs to be redone. Anything that doesn't reference HITECH or breach notification timelines needs to be updated.
• Step 4: For each vendor without a current BAA, contact their compliance department. If they can't or won't sign a BAA, you cannot legally continue using them for any task involving patient data.