GuardWell Compliance
HIPAA

Your IT Company Never Signed a BAA: How to Fix This HIPAA Exposure

By GuardWell Compliance Team·May 12, 2026·9 min read

Your IT company has had remote access to your server for years. They manage your network, troubleshoot your EHR, reset passwords, and probably have admin credentials to everything. And you just realized — or someone just pointed out — that you never signed a Business Associate Agreement with them. If this describes your practice, you are not alone. Missing IT vendor BAAs are one of the most common HIPAA gaps we encounter, and they represent one of the most straightforward violations for OCR to identify and penalize.

Why Your IT Company Is a Business Associate

Under 45 CFR 164.502(e), a business associate is any person or entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI. Your IT support company almost certainly qualifies because they:

  • Have remote or physical access to servers, workstations, and network devices that store or process ePHI
  • May access, view, or interact with ePHI during troubleshooting, maintenance, or system administration
  • Manage backups that contain ePHI
  • Configure security settings that control access to ePHI
  • May have access to email systems that contain patient communications

The argument that “they don’t look at patient records” does not eliminate the BAA requirement. The standard is whether PHI is accessible to them, not whether they routinely view it. If an IT technician can see a patient name on a screen while troubleshooting, the BAA requirement is triggered. OCR has been explicit on this point.

The Violation You Already Have

Operating without a BAA where one is required is a standalone HIPAA violation under 45 CFR 164.502(e). It does not require a breach to occur. The absence of the agreement itself is the violation. OCR settlements for missing BAAs have ranged from tens of thousands to millions of dollars, depending on the scope and duration of the relationship.

In the 2024 settlement with Doctors’ Management Services, OCR specifically cited the failure to have appropriate business associate agreements as a contributing factor in a multi-million-dollar enforcement action. The message is clear: this is not a technical paperwork issue — it is a substantive compliance failure that OCR actively pursues.

How to Assess Your Current Exposure

Before you can fix the gap, you need to understand its scope. Work through these questions as part of your risk assessment:

  1. How long has the IT company had access to systems containing ePHI? The duration of the relationship without a BAA affects your exposure level.
  2. What level of access do they have? Administrative credentials to your EHR, remote desktop access to workstations, backup management, email administration — catalog everything.
  3. Has there been any security incident during the relationship? If the IT company experienced a breach or security event while operating without a BAA, your liability is compounded.
  4. Do they subcontract any work? If your IT company uses subcontractors who also access your systems, those entities are subcontractors under the BAA chain and need their own agreements.
  5. What security controls does the IT company maintain? Encryption, access logging, employee background checks, security training — evaluate whether they meet HIPAA Security Rule standards.

The Remediation Plan: Step by Step

Fixing a missing BAA is not just about getting a signature on a document. It requires a structured approach:

Step 1: Execute the BAA Immediately

Draft or obtain a compliant BAA and get it signed. Do not use a one-page template you found online. The BAA must address all required elements under 45 CFR 164.504(e), including permitted uses and disclosures, safeguarding obligations, breach notification requirements, return or destruction of PHI at termination, and the obligation to make records available for an HHS audit.

Step 2: Conduct Due Diligence on the Vendor

Signing a BAA does not absolve you of the obligation to evaluate whether the business associate can actually comply with HIPAA. Request documentation of their security practices: encryption policies, access controls, employee training, incident response procedures, and insurance coverage. If they cannot demonstrate basic security competence, the BAA is not sufficient protection.

Step 3: Document the Gap and Your Remediation

Create a written record of the compliance gap, when it was identified, and every step taken to remediate it. This documentation is critical if OCR ever investigates. A practice that discovers a gap and promptly remediates it is treated very differently from one that ignored a known problem. File this documentation in your compliance program records.

Step 4: Review All Other Vendor Relationships

If your IT company was missing a BAA, there is a strong probability that other vendors are as well. Conduct a comprehensive vendor inventory: cloud fax services, answering services, cloud storage providers, billing companies, consultants, shredding services, and anyone else who may access PHI. Build a BAA tracking system so this gap does not recur.

Step 5: Evaluate Whether a Breach Has Occurred

The absence of a BAA does not automatically mean a breach occurred. However, if the IT company’s access to PHI was unauthorized under your policies (which it technically was, without a BAA), you may need to conduct a breach risk assessment to determine whether notification is required. Consult with legal counsel on this analysis.

What If the IT Company Refuses to Sign?

Some IT companies, particularly smaller local providers, may resist signing a BAA because they do not want to accept the compliance obligations it imposes. If your IT company refuses to sign a BAA, you have two options: find a new IT company that will sign, or accept ongoing HIPAA exposure. There is no third option. You cannot continue to allow an entity to access ePHI without a BAA in place, regardless of how long you have worked with them or how much you trust them.

In practice, most reputable IT companies that serve healthcare clients are familiar with BAAs and willing to sign. Resistance is often a signal that the vendor does not have the security infrastructure to support HIPAA compliance — which is itself a risk factor your practice should take seriously.

Preventing Future Gaps

Build vendor management into your ongoing compliance program. Maintain a centralized vendor inventory with BAA status, expiration dates, and last-reviewed dates. Include vendor due diligence in your annual risk assessment. Train staff to recognize when a new vendor relationship triggers a BAA requirement — before the vendor is given access, not after.

Frequently Asked Questions

Does my IT company need their own HIPAA compliance program?

Yes. Under the HITECH Act, business associates are directly liable for HIPAA compliance. Your IT company must implement administrative, physical, and technical safeguards for any ePHI they access, conduct their own risk assessments, train their workforce, and maintain their own policies and procedures. The BAA creates a contractual obligation, but HITECH creates a statutory one.

What if my IT company only accesses our systems occasionally for troubleshooting?

Frequency of access does not determine whether a BAA is required. If the IT company has the ability to access systems containing ePHI — even if they rarely exercise that access — they are a business associate and a BAA is required. A single remote session where a technician can see patient data on a screen triggers the obligation.

Can I use a free BAA template for my IT vendor?

While templates exist, a BAA for an IT vendor should address the specific nature of the services provided, including remote access protocols, data backup handling, subcontractor arrangements, and security incident response. A generic template may not cover these adequately. Have the agreement reviewed by counsel familiar with HIPAA to ensure it provides meaningful protection.

Should I self-report the missing BAA to OCR?

HIPAA does not require you to self-report a missing BAA in the absence of a breach. However, you should document the gap, your discovery of it, and your remediation steps. If a breach occurs or OCR investigates for another reason, your documented remediation will demonstrate good faith. Consult with legal counsel before making any voluntary disclosures to OCR.

missing BAAIT vendor HIPAAbusiness associate agreementBAA requirementvendor compliance

Part of our guide to

HIPAA Compliance

See how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.

Ready to simplify compliance?

GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.

Start Free Trial

Related Articles

HIPAA

Understanding Business Associate Agreements Under HIPAA

Everything medical practices need to know about HIPAA Business Associate Agreements — who qualifies as a BA, what the agreement must include, and how to manage your vendor relationships.

Compliance

Do I Need a BAA With My Cloud Fax, IT Company, or Answering Service?

If a vendor touches patient information on your behalf, you probably need a Business Associate Agreement. Here is how to identify which vendors require BAAs and what to do if you are missing them.

HIPAA

HIPAA Compliance Checklist for Small Medical Practices in 2026

A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI