Navigating HIPAA compliance doesn’t have to be overwhelming. At Szura & Delonis, PLC, we help Michigan healthcare practices determine when a Business Associate Agreement (BAA) is required to protect PHI and avoid penalties.

What Triggers a BAA Requirement?

Covered entities—such as health plans, clearinghouses, and providers transmitting health info electronically—must execute a BAA before sharing protected health information (PHI) with vendors who create, receive, maintain, or transmit it on their behalf. This may apply to technical suppliers accessing PHI databases, record storage facilities, lawyers, accountants, consultants, and temporary agencies placing staff near PHI.

Key Examples: BAA Needed vs. Not Needed

Use this table to quickly assess your vendor.

Business associates must also secure BAAs from their subcontractors handling PHI.

Essential BAA Components

A compliant BAA defines permitted PHI uses, mandates HIPAA Security Rule safeguards (encryption, access controls), requires breach reporting, and ensures PHI destruction upon termination. Limit PHI to the minimum necessary and review annually or with service changes.

Risks of Skipping a BAA

Failing to obtain a required BAA risks OCR fines up to $1,919,173 per violation, plus breach liability. Even vendors without PHI access don’t need one, but over-applying BAAs isn’t harmful—though due diligence on compliance is key.

Government guidance on HIPAA rules and BAAs is available at:

• HHS HIPAA Portal: https://www.hhs.gov/hipaa/index.html.
• HHS OCR BAA Guidance: https://www.hhs.gov/hipaa/for-professionals/covered-entities/hipaa-business-associate-agreements/index.html.

Next Steps for Compliance

Inventory vendors handling PHI, execute tailored BAAs, and conduct due diligence. Szura & Delonis, PLC, in Oakland County, Michigan, specializes in HIPAA audits and BAA drafting for healthcare practices. 

Contact us for a free consultation to safeguard your operations under HIPAA as of 2026.