What Is a BAA and Why Your Scanning Vendor Needs to Sign One
A practical explanation of Business Associate Agreements under HIPAA, what they actually require of a scanning vendor, and the red flags when a vendor resists signing one.
A Business Associate Agreement, or BAA, is the contract that HIPAA requires between a covered entity (your practice) and any vendor that touches your patients' protected health information (PHI). It is one of the most misunderstood documents in healthcare administration, and one of the easiest indicators of whether a vendor takes compliance seriously.
This post explains what a BAA actually does and what to look for when reviewing one.
What HIPAA requires
The HIPAA Privacy Rule and the HITECH Act jointly require covered entities to obtain "satisfactory assurances" that their business associates will protect PHI in the same way the covered entity is required to. Those assurances must be in writing. The written instrument is the BAA.
A scanning vendor handling patient charts is a business associate. So is a cloud storage provider, an IT contractor with access to the EHR, a transcription service, a coding contractor, a paper destruction service. Anyone whose work involves access to PHI requires a BAA.
What a BAA actually covers
A standard BAA includes:
- Definition of PHI in the relationship.
- Permitted uses of PHI by the business associate (typically: only what is necessary to perform the agreed services).
- Required safeguards the business associate must implement (administrative, physical, technical).
- Subcontractor flow-down requiring that any subcontractor of the business associate also signs a BAA.
- Breach notification obligations: the business associate must notify the covered entity of any breach without unreasonable delay.
- Reporting obligations: the business associate must make its records available to the Department of Health and Human Services (HHS) on request.
- Termination provisions: what happens to PHI when the agreement ends, including return or destruction.
- Indemnification: varies by agreement but typically allocates breach-related costs.
The exact wording is customizable, but the core elements are non-negotiable under HIPAA.
Why scanning vendors specifically need one
A scanning vendor working with paper charts:
- Has staff who see PHI on the page during scanning.
- Has equipment (scanners, computers, network connections) that temporarily holds PHI.
- Has storage systems that hold processed PHI during the project.
- Has delivery mechanisms that transmit PHI to the destination.
All of those touch PHI in ways that require the vendor to operate as a HIPAA business associate. There is no version of "scanning patient records without a BAA" that complies with HIPAA.
A scanning vendor that hedges on signing a BAA, calls it unnecessary, or offers a "data processing agreement" that does not include the BAA elements is signaling either ignorance or unwillingness. Neither is acceptable in a healthcare context.
Red flags in vendor BAAs
Some specific things to watch for when reviewing a BAA from a scanning vendor:
Generic template language with practice-specific blanks unfilled. A vendor that hands you a BAA template with placeholder text suggests they have not actually thought through how the agreement applies to their specific service.
Overly broad permitted use clauses. "May use PHI for any business purpose" is too broad. Permitted use should be limited to performing the scanning services.
No retention or destruction clause. The BAA should specify what happens to any PHI the vendor temporarily holds at the end of the project. "Wipe processing storage after delivery" is the right answer.
Subcontractor language missing or weak. If the vendor uses subcontractors (e.g., for OCR processing), those subcontractors must also be bound by a BAA. The BAA should require this explicitly.
No breach notification window. HIPAA requires notification "without unreasonable delay" but the BAA should typically specify a window (often 24-72 hours).
Disclaimers of HIPAA obligations. Any language attempting to disclaim the vendor's HIPAA obligations is a red flag. The vendor cannot contract out of HIPAA.
What a good BAA enables for the practice
When a scanning vendor has signed a clean BAA, the practice can confidently:
- Allow the vendor's staff access to patient records.
- Permit the vendor to use practice equipment or network in the course of the project.
- Document the relationship in the practice's HIPAA compliance binder.
- Respond confidently to a regulator's question about vendor management.
When the BAA is missing or weak, every one of those becomes a risk.
What ArchiveBridge does about this
ArchiveBridge signs a Business Associate Agreement before any healthcare project begins. Our BAA includes the standard required elements: permitted use limited to scanning services, encryption at rest and in transit, processing storage wipe at project end, breach notification within 24 hours, subcontractor flow-down, and HHS reporting obligations.
A copy of our standard BAA is available on request before a project begins. Request a quote to start that conversation.
More from the blog
California Medical Record Retention: HIPAA + CMIA Requirements for 2026
How long medical practices in California are required to keep patient records, what HIPAA and CMIA each demand, and what changes when records move from paper to scanned.
ComplianceHow Long Do California Dentists Need to Keep Patient Charts?
The actual record retention rules dental practices in California operate under, including the special cases that come up at practice sale, retirement, and Medicare/Medi-Cal participation.
ComplianceClosed Legal File Retention Under ABA Rule 1.6: A California Checklist
What ABA Rule 1.6 and California Rule of Professional Conduct 1.16(e) actually require for retention and disposition of client files, with practical guidance for chart cleanup and digitization.