What is a Business Associate Agreement (BAA) in IT?

A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity (your healthcare organization) and a vendor who handles protected health information on your behalf — including your IT provider. The BAA specifies what the vendor can do with PHI, their security obligations, and their breach notification responsibilities. Operating without a signed BAA from your IT provider is a HIPAA violation, even if no breach occurs.

How much does HIPAA compliant managed IT cost?

HIPAA compliant managed IT services typically cost $130–$280 per user per month depending on organization size, location, and the depth of compliance tooling required. Healthcare-specific add-ons — encrypted email, EHR-integrated backup, audit logging, and HIPAA risk assessment documentation — add $30–$80/user beyond standard managed IT pricing. A 20-provider medical practice typically pays $4,000–$8,000/month for fully compliant managed IT.

What happens if my IT provider is not HIPAA compliant?

If your IT provider accesses PHI without a BAA, or if a breach occurs because of inadequate IT security, your organization is liable under HIPAA — not the IT provider. HHS OCR fines range from $100 to $50,000 per violation, with annual maximums of $1.9 million per violation category. The average HIPAA settlement for a small healthcare provider involved in a breach is $400,000–$2 million. Operating with a non-compliant IT provider is one of the most common and avoidable sources of HIPAA liability.

HIPAA Compliant IT Services in 2026: What They Include and How to Find the Right Provider

Q: Does my EHR vendor make me HIPAA compliant?

No. Your EHR vendor (Epic, Cerner, athenahealth, eClinicalWorks, etc.) handles PHI within their platform and signs a BAA with you — but they are responsible only for the security of their application. Your IT infrastructure (endpoints, email, network, backup systems, user access management) is your responsibility and requires a separate HIPAA-compliant IT provider. Most HIPAA breaches involve infrastructure outside the EHR, not the EHR itself.

Q: Who needs HIPAA compliant IT services?

HIPAA applies to covered entities — healthcare providers who transmit PHI electronically (which includes virtually all medical practices, hospitals, dental offices, mental health providers, and health plans) — and their business associates (vendors who handle PHI). If your organization creates, receives, maintains, or transmits protected health information, you need HIPAA compliant IT services. This includes medical practices of all sizes, behavioral health providers, telehealth companies, health tech startups, and healthcare-adjacent businesses that access PHI.

Quick answer HIPAA compliant IT services are managed IT services that include: a signed Business Associate Agreement, PHI encryption at rest and in transit, audit logging of all PHI access, access controls limited to authorized personnel, documented annual risk assessments, and a breach response plan. Your EHR vendor's BAA does not cover your IT infrastructure — you need a separate HIPAA-compliant IT provider.

What Makes an IT Service "HIPAA Compliant"

HIPAA compliance for IT services is defined by the HIPAA Security Rule (45 CFR Part 164), which mandates specific technical, physical, and administrative safeguards for electronic protected health information (ePHI). A HIPAA compliant IT provider isn't just one who signs a BAA — they're one who implements and documents the specific controls the Security Rule requires.

Here's what that actually means in practice:

✓

Business Associate AgreementBefore your IT provider can touch any PHI-related system, they must sign a BAA. This is a legal contract — not a checkbox. Without it, both parties are violating HIPAA.

✓

PHI Encryption at RestAll storage containing PHI — servers, workstations, laptops, cloud storage, backup drives — must be encrypted. Device encryption must be enforced by policy, not optional.

✓

PHI Encryption in TransitPHI transmitted over the network or internet must be encrypted (TLS 1.2+ for web; S/MIME or equivalent for email). Unencrypted email containing PHI is a violation.

✓

Access ControlsPHI must be accessible only to users who need it for their job. RBAC (role-based access control) must be implemented and documented. Shared login credentials are a violation.

✓

Audit LogsYour systems must log who accessed what PHI, when, and from where. Logs must be retained for at least 6 years and be available for OCR audit review.

✓

Annual Risk AssessmentA documented risk assessment identifying threats to PHI confidentiality, integrity, and availability — updated at least annually or when your environment changes significantly.

✓

Workforce Training RecordsHIPAA requires documented security awareness training for all staff who handle PHI. Your IT provider should be able to support this program and maintain records.

✓

Incident Response PlanA documented process for identifying, containing, and reporting HIPAA breaches — including the 60-day notification requirement to HHS and affected individuals for breaches over 500 records.

What your EHR's BAA doesn't cover: Your EHR vendor (Epic, athenahealth, eClinicalWorks, etc.) signs a BAA and secures their application. But your laptops, email system, network, backup infrastructure, and user access management are outside the EHR's scope. Most HIPAA breaches happen at the infrastructure level — unencrypted laptops, compromised email accounts, unauthorized access — not within the EHR itself. You need a separate HIPAA-compliant IT provider for everything outside the EHR.

HIPAA IT Requirements: What the Security Rule Actually Mandates

Requirement	Specification Type	What It Means for IT
Access controls	Required	Unique user IDs, automatic logoff, emergency access procedures
Audit controls	Required	Hardware/software activity logs for systems containing ePHI
Integrity controls	Addressable	Electronic mechanisms to verify PHI hasn't been improperly altered or destroyed
Transmission security	Addressable	Encryption of ePHI in transit (effectively required in modern environments)
Encryption at rest	Addressable	Encryption of stored ePHI on devices and servers (effectively required)
Workstation security	Required	Physical and logical security of workstations that access ePHI
Device & media controls	Required	Policies for hardware/media containing ePHI — disposal, reuse, and accountability
Person/entity authentication	Required	Verify identity of users before granting access to ePHI
Business associate contracts	Required	Signed BAA with every vendor who handles ePHI on your behalf
Contingency planning (backup)	Required	Data backup plan, disaster recovery plan, and testing of restoration procedures

The "Addressable" designation does not mean optional — it means you must implement the safeguard or document a specific reason why an alternative measure achieves equivalent protection. In 2026, "we're a small practice" is not an adequate justification for unencrypted storage.

Questions That Reveal Whether an IT Provider Is Actually HIPAA Compliant

Most IT providers will say they're HIPAA compliant during a sales call. Very few can answer these questions specifically:

"Walk me through how you handle a laptop that's reported lost or stolen." A compliant answer includes: remote wipe capability, confirmation of full disk encryption, documentation of the loss for potential breach assessment, and notification protocols if PHI was present.
"Can you produce our HIPAA risk assessment from last year?" They should have produced it. If you don't have it, they didn't do it.
"How do we know who has accessed patient data and when?" The answer should describe audit logging at the application, network, and endpoint level — not just "the EHR tracks that."
"What happens on day one if you suspect a HIPAA breach?" The answer should include a defined escalation process, a breach risk assessment methodology, and your obligations to HHS under the 60-day clock.
"Do you sign BAAs with all your subcontractors who might touch our systems?" If they use third-party tools (RMM software, backup platforms, cloud services) that process your data, those vendors must also have BAAs. Most MSPs don't manage this systematically.

The compliance audit test: Ask your current IT provider to give you a copy of your current HIPAA risk assessment. If they can't produce it in 24 hours — or if they're confused about what you're asking for — you don't have a HIPAA compliant IT provider. You have an IT provider who says they're HIPAA compliant.

HIPAA Compliant IT Pricing in 2026

HIPAA compliant managed IT costs more than standard managed IT because it requires additional tooling, documentation, and expertise. Here's what to budget:

Organization Size	Monthly Range	Per-User Range	What's Included
Solo / under 10 staff	$1,200–$2,500/mo	$150–$250/user	Monitoring, helpdesk, encryption, backup, BAA, basic audit logging
10–50 staff	$2,500–$8,500/mo	$130–$200/user	All of above + email security, risk assessment, employee training
50–200 staff	$8,500–$28,000/mo	$150–$175/user	All of above + vCIO advisory, formal incident response plan, MDM
200+ staff	Custom	$140–$200/user	Full compliance program, dedicated security resources, OCR audit support

Note: These ranges assume the provider handles compliance documentation and program management, not just the technical controls. IT providers who only implement technology without documentation are providing incomplete HIPAA compliance services.

Who Needs HIPAA Compliant IT Services

HIPAA applies to covered entities and their business associates. In terms of organizations that need HIPAA compliant IT:

Medical practices of all sizes — including solo practitioners. There is no small-business exemption from HIPAA.
Dental practices — dental records are PHI. See our dental practice IT support page for dental-specific guidance.
Behavioral health and mental health providers — including teletherapy platforms that maintain session notes or diagnoses.
Telehealth companies — including those built on platforms like Doxy.me or Zoom for Healthcare. The platform BAA isn't enough; your backend infrastructure needs coverage.
Health tech startups — if your product handles PHI at any point in the workflow, you need HIPAA compliant infrastructure from day one.
Healthcare-adjacent businesses — medical billing companies, third-party administrators, clinical labs, and others who access PHI on behalf of covered entities.

Frequently Asked Questions

What are HIPAA compliant IT services?

HIPAA compliant IT services are managed IT services that implement the specific technical safeguards required by the HIPAA Security Rule: PHI encryption, audit logging, access controls, signed BAA, documented risk assessments, and an incident response plan. Providers must be able to produce documentation proving compliance — not just claim it.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA-required contract between a covered entity and any vendor who handles protected health information on their behalf. Your IT provider must sign a BAA before accessing any system that contains patient data. Operating without a signed BAA is a HIPAA violation regardless of whether a breach occurs.

How much does HIPAA compliant IT cost?

HIPAA compliant managed IT typically costs $130–$280 per user per month. A 20-provider medical practice typically pays $4,000–$8,000/month for fully compliant managed IT. Use our IT Budget Calculator to estimate your cost.

Does my EHR vendor's BAA make me HIPAA compliant?

No. Your EHR vendor's BAA covers their application only. Your IT infrastructure — endpoints, email, network, backup, user management — is your responsibility and requires a separate HIPAA-compliant IT provider. Most HIPAA breaches occur at the infrastructure level, outside the EHR.

HIPAA Compliant IT Services: What They Include and How to Find a Provider Who Actually Does This

Get matched with a HIPAA-compliant IT provider