STEP-BY-STEP
Business Associate Decision Tree
This decision tree will help you determine if an entity is a “business associate” and requires a BAA.
DPH Office of Compliance and Privacy AffairsStep 1: Will the vendor handle PHI as part of the work?
This includes receiving, accessing, maintaining, collecting, or creating PHI.
If no, BAA not required.
If yes, go to Step 2.
Step 2: Is the department the vendor working with listed below?
Departments include DPH, HSS, SFFD, CAT, TTX, or DOT.
If no, BAA not required.
If yes, go to Step 3.
Step 3: Do any HIPAA exceptions apply?
- Vendor is a healthcare provider receiving PHI only for treatment
OR
- Vendor is a health plan receiving PHI only for payment
If yes, BAA not required.
If no, go to Step 4.
Step 4: Will the vendor carry out any HIPAA‑regulated activities using PHI?
These are operational tasks that HIPAA specifically regulates, such as:
- Claims processing or administration
- Data analysis, processing, or administration
- Utilization review
- Quality assurance or patient safety activities
- Billing, benefit management
- Practice management or repricing services
If no, go to Step 5.
If yes, go to Step 6.
Step 5: Will the vendor provide professional or administrative services that use PHI?
These are services HIPAA classifies as Business Associate functions, including:
- Legal
- Actuarial
- Accounting or auditing
- Consulting
- Management or administrative support
- Accreditation
- Financial services
If no, BAA not required.
If yes, go to Step 6.
Step 6: Will the vendor need routine or ongoing access to PHI?
Examples include cloud hosting, records storage vendors, HIEs, e‑prescribing gateways, or equipment maintenance on devices that store PHI.
If no, BAA not required.
If yes, BAA required.