Should I have any legal contract with my BA to protect ePHI data residing with them?

Yes.  HIPAA/HITECH regulations requires that you have a contractual agreement with your BA in order to protect the data they have  Experts at EHR 2.0 can help you with such contracts. You can reach us at