Does Your Backup Provider Need a BAA?

Does a cloud backup provider count as a HIPAA business associate?

Yes. A backup provider that stores your protected health information (PHI) is a HIPAA business associate, and that triggers a legal requirement: you must have a signed Business Associate Agreement (BAA) in place before any patient data changes hands. The rest of this explainer walks through exactly why, what the contract should cover, and how to get one.

This article is general information for dental practices and is not legal advice. Your specific obligations depend on your circumstances — confirm them with qualified counsel or your compliance advisor.

What is a BAA, in plain terms?

A Business Associate Agreement is a HIPAA-required contract between a covered entity (your dental practice) and a business associate (a vendor that creates, receives, maintains, or transmits PHI on your behalf). It is the written instrument that extends HIPAA's obligations to the vendor and documents how PHI will be protected.

The BAA is not paperwork for its own sake. It is the mechanism HIPAA uses to make sure that everyone who touches patient data — not just the practice — is contractually bound to safeguard it.

Why does a backup provider that stores PHI need one?

Because storage is the trigger. HIPAA defines a business associate as a vendor that creates, receives, maintains, or transmits PHI for a covered entity. A backup service maintains copies of your patient records by design — that is the entire point of the product. The moment your imaging, charts, or practice-management database is replicated to a vendor's cloud, that vendor is maintaining PHI on your behalf and meets the definition of a business associate.

It does not matter that the data is encrypted, or that the vendor never opens a single file. Encryption is a safeguard, not an exemption. If the vendor holds the data, the vendor needs a BAA. See our companion explainer, Is Cloud Backup HIPAA Compliant?, for how encryption and access controls fit into the larger picture.

What happens if you skip the BAA?

You stay on the hook. Without a BAA, you have disclosed PHI to a vendor that is not contractually bound to HIPAA — and as the covered entity, your practice remains responsible. The exposure is concrete:

• OCR enforcement. The HHS Office for Civil Rights investigates HIPAA complaints and breaches. A missing BAA is a documentable compliance failure that can surface during any investigation.
• Breach liability flows back to you. If the uncontracted vendor suffers a breach, the lack of an agreement does not shield you — it removes a control regulators expect to see.
• Notification deadlines still apply. Delayed breach notification carries real cost. Westend Dental in Indiana reached a $350,000 settlement tied to delayed notification of a breach . The lesson generalizes: vendor and notification gaps get expensive.

The six questions every practice should answer

1. What is a BAA? A HIPAA contract between your practice and any vendor that handles PHI on your behalf.
2. Why does a storing backup vendor need one? Because "maintaining" PHI makes the vendor a business associate.
3. What if you skip it? You retain full liability and OCR exposure; the vendor is uncontracted.
4. Doesn't the conduit exception apply? No — it covers transport-only services, not storage.
5. What must the BAA cover? Permitted uses, safeguards, breach notification, subcontractors, and data return/destruction.
6. How do you get one? Ask the vendor; a compliant provider offers and signs one as standard.

Doesn't the "conduit exception" let backup vendors off the hook?

No. The conduit exception is narrow and frequently misunderstood. It applies only to entities that act as mere transmission channels for PHI — think of the postal service, a courier, or an internet service provider that moves data without storing it beyond what is transient and incidental to transport.

A backup provider fails that test on the most basic point: it stores your data, often for months or years, as durable copies you can restore from. Persistent storage is the opposite of mere transmission. So the conduit exception does not apply to backup, and the BAA requirement stands. If a vendor cites the conduit exception to avoid signing a BAA for a service that retains your data, treat that as a red flag.

What should a backup BAA actually cover?

A meaningful BAA goes beyond a signature page. At minimum, look for these terms:

• Permitted uses and disclosures — the vendor may use PHI only as needed to provide the service, and not for its own purposes.
• Required safeguards — administrative, physical, and technical protections consistent with the HIPAA Security Rule.
• Breach notification — clear obligations and timelines for the vendor to notify you of any security incident or breach.
• Subcontractor flow-down — any subcontractor that touches PHI must be bound by equivalent terms.
• Return or destruction of PHI — what happens to your data when the contract ends.
• Documentation and cooperation — support for your recordkeeping. HIPAA requires retaining compliance documentation for six years , so your BAA and related records should be kept accordingly.

For a structured way to check your own readiness across these areas, see Could Your Practice Pass a HIPAA Audit on Backups?.

How do you actually get a BAA in place?

Ask. A vendor that is serious about serving healthcare will have a BAA ready and will sign it as a routine part of onboarding — not treat it as an unusual request. If a provider hesitates, cannot produce one, or tries to argue its way out of signing, that tells you something important about whether it should be holding your patients' data at all.

DDSArk signs a HIPAA BAA with every customer as standard.

The bottom line: if a backup provider stores your PHI, it needs a BAA — full stop. Get the agreement signed before you send any patient data, keep a copy with your compliance records, and revisit it whenever the relationship or the service materially changes.