Even with a BAA, there is still shared liability between the covered entity (you) and business associates. Even if you’re breached and it’s the business associate’s fault, healthcare providers may still share monetary penalties or fines with their business associates.
The biggest thing to remember here is that you should share only minimal need-to-know data with your business associates, and regularly validate that they are handling your patient’s PHI in a HIPAA compliant manner.