In 2023, HHS Office for Civil Rights settled 44 HIPAA enforcement cases. A significant share involved Business Associate violations — situations where a covered entity (your agency) signed a contract with a software vendor (a Business Associate), and either the agreement was deficient or the vendor's actual practices didn't match what they promised on paper. Average civil penalty for a mid-size organization: around $1.2 million. Average monthly cost of the software that triggered the exposure: a few hundred dollars.

The math doesn't balance. But it keeps happening, because most agency directors treat the BAA as a legal formality — something to check off before go-live — rather than a document that defines where your liability ends and the vendor's begins.

It doesn't work that way.

What a BAA Actually Is (Not What Vendors Tell You It Is)

A Business Associate Agreement is a contract required under HIPAA (45 CFR § 164.504(e)) whenever a covered entity shares protected health information with a vendor who handles that data on their behalf. It defines:

• What PHI the vendor can access and why
• What security safeguards they must maintain
• What happens if there's a breach (notification timelines, who contacts HHS)
• Your right to audit their practices
• Their obligation to pass-through requirements to any subcontractors

What a BAA is not: a guarantee that the vendor is actually doing any of those things. The BAA is a paper promise. It shifts some liability. It does not eliminate yours.

If your software vendor suffers a breach and they can't prove they were following the agreed safeguards, OCR will investigate both of you. If you can't prove you did reasonable due diligence before signing, you share the exposure.

The "HIPAA-Compliant" Dodge

Here's the phrase that should make you stop and ask follow-up questions: "We're HIPAA-compliant."

HIPAA compliance is not a certification. There is no government body that reviews a software company's architecture and stamps it "approved." Any vendor can say they're HIPAA-compliant. Many of them believe it sincerely. Some are wrong.

What you want instead:

1. Do they offer a signed BAA as part of the contract — not on request? Vendors who are actually serious about HIPAA make the BAA part of standard onboarding. If you have to ask for it, or if they seem surprised by the request, that's a signal.

2. Where does your data live? The answer should be a named cloud infrastructure provider (AWS, Google Cloud, Azure) with specific mentions of encryption at rest and in transit. "Our servers are secure" is not an answer. "All data is encrypted at rest with AES-256 and in transit via TLS 1.2+" is.

3. Who are their subcontractors? Under HIPAA, if your vendor stores PHI in a database managed by a third-party cloud provider, that provider is a subcontractor. Your vendor must have a BAA with them. Ask for it — or at minimum ask the question. A vendor that has never been asked this question is probably not managing subcontractor agreements correctly.

4. What is their breach notification timeline? HIPAA requires notification to covered entities within 60 days of discovering a breach. A well-prepared vendor should be able to cite their internal incident response timeline without hesitation. If they have to "check with legal," they probably don't have a tested process.

The Shadow Tool Problem Nobody Talks About

Vendors get most of the scrutiny. But in practice, the highest-risk HIPAA exposure in small and mid-size agencies isn't the case management software. It's everything else workers are doing with client data between sessions.

Case notes texted on personal iPhones. Referral information emailed through Gmail. Client rosters stored in a shared Google Sheet. Appointment details discussed in a WhatsApp group.

All of that is PHI. None of those tools are HIPAA-aware. None of them have BAAs with your agency.

The BASW has documented that care workers spend roughly 65% of their week on paperwork — and a significant portion of that work happens between client visits, using whatever's fastest and most familiar. That's not a moral failure; it's what happens when the official tools don't fit the field reality.

The question for agency directors isn't just "does our EHR have a BAA?" It's "what are my workers actually using to handle client information, and do we have any controls around that?"

The answer at most agencies: no controls, and nobody's looked.

Five Questions to Ask Before You Sign Anything

This isn't a comprehensive security audit. It's a conversation-starter — the minimum bar for a software vendor that will touch your client records.

1. Will you sign a BAA before we go live, as part of the standard contract? If yes: proceed. If "we can provide one upon request" or any hesitation: dig deeper.

2. Where is our data stored, and can you name your infrastructure provider and their certifications? Look for: SOC 2 Type II or Type I from the infrastructure provider (AWS, GCP, Azure all have these). Ask where the app-layer data sits.

3. Do you have a signed BAA with each subcontractor who touches our PHI? There is no acceptable alternative answer to "yes."

4. What is your breach notification SLA to us? Should be under 60 days per HIPAA; good vendors aim for 72 hours internally.

5. How do your audit logs work, and can I see a sample? Audit logs are required under the HIPAA Security Rule. A vendor with nothing to show you doesn't have them.

One More Thing About "HIPAA-Aware" vs. "HIPAA-Compliant"

Some vendors use the phrase "HIPAA-aware" instead of "HIPAA-compliant." This is more honest. HIPAA awareness means the product was built with HIPAA requirements in mind — encrypted storage, BAA availability, audit logging, access controls — while acknowledging that compliance is ultimately a shared responsibility between vendor and covered entity.

It's a real distinction. A vendor who claims total compliance and then stores PHI on unencrypted servers is a lawsuit waiting to happen. A vendor who says "we built this to support your compliance program, here's what we do and here's what you're responsible for" is being straight with you.