Do I Need a BAA With My Cloud Fax, IT Company, or Answering Service?

You just realized that your cloud fax service handles thousands of pages of patient records every month — and you never signed a Business Associate Agreement with them. Or your IT company has remote access to every computer in the office, including the ones with your EHR open. Or your after-hours answering service takes messages that include patient names, symptoms, and callback numbers. And now you are wondering: was I supposed to have a BAA with these companies this whole time?

In most cases, yes. And the fact that you are asking means you are already ahead of the many practices that have never considered the question.

What Is a Business Associate Under HIPAA?

A business associate is any person or organization — other than a member of your workforce — that performs a function or activity on behalf of your practice involving the use or disclosure of protected health information. The key phrase is "on behalf of" — if the vendor creates, receives, maintains, or transmits PHI as part of the service they provide to you, they are almost certainly a business associate and you are required to have a BAA in place before they access any PHI.

The Vendor-by-Vendor Breakdown

Here is the definitive answer for the most common vendor relationships in medical practices:

Yes, You Need a BAA:

• Cloud fax service: Yes. They transmit and often store documents containing PHI. This includes eFax, HelloFax, RingCentral Fax, and similar services. Most reputable cloud fax vendors will sign BAAs — if yours will not, switch to one that will.
• IT support company / managed service provider: Yes. If they have access to systems containing ePHI — which they almost certainly do if they manage your computers, network, or servers — they are a business associate. This includes remote support access.
• Answering service: Yes. If they take messages that include patient names, symptoms, medications, or any other health information, they are handling PHI. Most medical answering services expect to sign BAAs — if yours does not know what a BAA is, that is a red flag.
• Medical billing company: Yes. They handle claims data that is loaded with PHI. This should be one of the first BAAs in place.
• EHR vendor: Yes. They maintain your entire patient record system. Every EHR vendor should provide a BAA — it is a standard part of the contract.
• Cloud storage (Google Workspace, Microsoft 365, Dropbox): Yes, if you store PHI there. Google, Microsoft, and Dropbox all offer BAA-eligible plans, but you must specifically execute the BAA — it is not automatic. For Google Workspace and Microsoft 365, the BAA is typically accepted through the admin console.
• Shredding and document destruction company: Yes. They handle physical records containing PHI.
• Transcription service: Yes. They process clinical documentation containing detailed PHI.
• Practice management software: Yes. Similar to EHR — patient demographic and billing data is PHI.
• Data backup and disaster recovery vendor: Yes. They store copies of your ePHI.
• Secure messaging or texting platform: Yes, if used for communicating PHI between staff or with patients.
• Collections agency: Yes. They receive patient names, account balances, and often diagnostic information for billing purposes.

No, You Probably Do Not Need a BAA:

• Cleaning / janitorial service: Generally no, unless they have access to areas where PHI is stored and your contract specifically addresses handling of any PHI they might encounter. However, if they handle biohazardous waste with patient-identifying labels, this gets murkier.
• Plumber, electrician, general maintenance: No. These vendors are performing services for the facility, not handling PHI.
• Internet service provider: No. ISPs are considered conduits — they transmit data but do not access it in the normal course of business. However, this does not apply if the ISP also provides managed security or content filtering services that involve accessing PHI.
• Traditional telephone company: No, for the same conduit reason as ISPs — for basic phone service.
• US Postal Service and courier services: No. They are explicitly excluded from the definition of business associate when acting as a conduit for PHI in the normal course of business.

It Depends:

• Accountant or CPA: Only if they receive PHI as part of their engagement. If they only handle financial data without patient-identifying information, no BAA is needed. But if they audit billing records that include patient names and diagnosis codes, yes.
• Attorney: Only if they handle matters involving PHI (malpractice defense, compliance consulting, breach response). A lawyer handling your real estate lease does not need a BAA.
• Website hosting: Only if your website collects or stores PHI — patient forms, portal access, appointment requests that include health information.

What If You Have Been Operating Without BAAs?

If you just realized you are missing BAAs with vendors who should have them, here is your action plan:

1. Do not panic, but do act immediately. The lack of a BAA is a HIPAA violation, but it is one that can be corrected. The longer it persists after you become aware of it, the harder it is to characterize as reasonable cause versus willful neglect.
2. Create a complete vendor inventory. List every vendor, contractor, and service provider your practice uses. For each one, determine whether they create, receive, maintain, or transmit PHI.
3. Prioritize by risk. Start with vendors who have the most access to the most PHI — your EHR, billing company, IT provider, and cloud services.
4. Execute BAAs. Contact each vendor and request a BAA. Most vendors in the healthcare space will have their own BAA template. Review it carefully — ensure it includes all required HIPAA elements including breach notification obligations, restrictions on subcontractors, and termination provisions.
5. Document the process. Create a log showing when you identified the gap, when you contacted the vendor, and when the BAA was executed. This documentation shows good faith effort in the event of an investigation.
6. If a vendor refuses to sign a BAA, you cannot use that vendor for services involving PHI. Period. Find an alternative vendor who will execute a BAA. Using a vendor who refuses to sign a BAA while knowing PHI is involved is willful neglect.

BAA Maintenance Is Ongoing

Getting BAAs signed is not a one-time task. You need a process for:

• Reviewing BAAs annually to ensure they are current and reflect your actual vendor relationships.
• Executing BAAs with new vendors before they access any PHI — not after.
• Tracking BAA expiration dates if they include terms.
• Monitoring vendor compliance and responding to any vendor breaches.

GuardWell's vendor management module helps practices maintain a complete vendor inventory with BAA tracking, risk tiering, and renewal reminders — so you always know exactly which vendors have BAAs in place and which need attention. Building this discipline now prevents the kind of panic that brought you to this article.