State Bar of Michigan - Business Law Section
American Health Law Association
Oakland County Bar Association Fellows
Super Lawyers
Member of Community Associations Institute
Member of CAM

Do I Need a Business Associate Agreement for This Vendor? A HIPAA Guide for Michigan Healthcare Providers

Szura & Delonis, PLC
Healthcare-IT-photo.jpg

Navigating HIPAA compliance doesn’t have to be overwhelming. At Szura & Delonis, PLC, we help Michigan healthcare practices determine when a Business Associate Agreement (BAA) is required to protect PHI and avoid penalties.

What Triggers a BAA Requirement?

Covered entities—such as health plans, clearinghouses, and providers transmitting health info electronically—must execute a BAA before sharing protected health information (PHI) with vendors who create, receive, maintain, or transmit it on their behalf. This may apply to technical suppliers accessing PHI databases, record storage facilities, lawyers, accountants, consultants, and temporary agencies placing staff near PHI.

Key Examples: BAA Needed vs. Not Needed

Use this table to quickly assess your vendor.

Vendor TypeBAA Required?Reason 
Cloud storage for patient recordsYesMaintains PHI
IT support accessing ePHI systemsYesTransmits/creates PHI
Billing service handling claimsYesProcesses PHI
Janitorial staffNoNo PHI access
Orthotics manufacturer (non-provider)SometimesIf accessing PHI 
Accreditation organizationYesAccesses PHI 

Business associates must also secure BAAs from their subcontractors handling PHI.

Essential BAA Components

A compliant BAA defines permitted PHI uses, mandates HIPAA Security Rule safeguards (encryption, access controls), requires breach reporting, and ensures PHI destruction upon termination. Limit PHI to the minimum necessary and review annually or with service changes.

Risks of Skipping a BAA

Failing to obtain a required BAA risks OCR fines up to $1,919,173 per violation, plus breach liability. Even vendors without PHI access don’t need one, but over-applying BAAs isn’t harmful—though due diligence on compliance is key.

Government guidance on HIPAA rules and BAAs is available at:

Next Steps for Compliance

Inventory vendors handling PHI, execute tailored BAAs, and conduct due diligence. Szura & Delonis, PLC, in Oakland County, Michigan, specializes in HIPAA audits and BAA drafting for healthcare practices. 

Contact us for a free consultation to safeguard your operations under HIPAA as of 2026.

Topics

Client Reviews

Rick Delonis was outstanding for me in a business matter. Only providing professional information and execution. He was always there to answer anything I needed.

Brian Klanow

This firm has been handling my legal work for nearly 10 years. They have excelled when it comes to reviewing my business contracts, handling articles of incorporation for my entities and, most importantly...

Dan

These guys are the best. They really took care of me when I needed them the most. Very honest and truly care about their clients. I would highly recommend Rick Delonis and the other partners at this law firm to...

John

Being a landlord sometimes is not all it's cracked up to be. Being new to the game mistakes will be made and can be very costly if not handled correctly. After initial negotiations failed our case went to trial...

Francis
View More
Submit a Law Firm Client Review
Map Location

Address

Southfield Office
29777 Telegraph Rd
#2401

Southfield, MI 48034

Map / Directions
Phone: (248) 716-3600
Office

Contact Us

Fill out the form or call us at (248) 716-3600 to reach us.

We Accept the Following Payment Solutions

Payment Methods