HIPAA covered entities — health care providers in the US who meet certain criteria — are responsible for protecting their clients’ information under that aptly named set of laws (think about a certain large animal that sounds similar to “HIPAA.”) We also need to make sure the people we hire to handle our information are living up to the same rules. To get that assurance, we use what is called a “Business Associate Agreement.”
HIPAA defines those people we hire to handle personally-identifying client information — e.g. our practice management systems, billing services, etc. — as “Business Associates.” HIPAA states in the Administrative Simplification that we can work with such services if we “…obtain satisfactory assurances that the business associate will appropriately safeguard [personally-identifying client information.]“ That “satisfactory assurance” is required by the law to take the form of a contract called a Business Associate Agreement, or “BAA” for short. (Federal agencies may get assurances in other ways, but the rest of us don’t have that luxury.)
Nearly every Business Associate will have a BAA contract ready to go and will ask you to sign theirs. Some even put their Business Associate Agreement language in their Terms of Service, and you agree to it by checking a box when you make your account. This is all normal and acceptable.
What is a BAA?
A BAA is essentially a promise from the Business Associate that they will safeguard your data in the same ways you as a covered entity are required to do. Another important item is the assurance that the Business Associate will track “security incidents,” and provide audit trails, as necessary, of what’s been happening with your data. For example, Business Associates must inform you if they suffer a security breach that impacts you and/or your clients.
It can be important for you to know if a person or company counts as a Business Associate not just because it means you need a BAA with them, but also because their Business Associate status happens automatically as soon as they touch any of your protected health information. Even without the BAA in place, the Business Associate relationship can exist! It is similar to forming a clinician-client relationship before the client has completed your informed consent.
If you need a BAA with a group or person who isn’t prepared with a contract, first consider whether or not they are prepared and capable to protect your information to HIPAA standards. You’ll want to take their needs into account as well as your own. Taking on HIPAA Business Associate status is a risky legal position to be in, so be careful not to pressure anyone into it if they aren’t ready for it. If they turn out to be up to the job, see our article on free HIPAA forms for links to sample Business Associate Agreement contracts that you can use.
Who Counts As a Business Associate? My Email Provider? The Cleaning Crew?
Picture this: a mental health professional decides that she doesn’t have enough space to keep her own paper records in the office. So instead of keeping them in her own filing cabinet, she hires the office next door to keep them for her. When she needs to, she writes down a session note and then sends it next door where they add the note to the correct client’s file. When she needs to see files, she sends over a request and they bring her a copy of the files she wants to see.
The situation sounds ridiculous, but we do exactly that kind of process every time we use a cloud service in our practices. That includes writing and receiving emails, online record-keeping, doing payment online, and more.
We also do a similar thing when we hire an outside professional or company to do billing, accounting, or other services for us that involve handling our client information.
The common thread among all those examples is that they all use their own resources to handle our information. Very importantly, the clinician who uses these services has no control over how those resources are managed and kept secure. To use Securityland language, those services all work under their own policies and procedures, and they do not follow your policies or procedures.
In such a situation, where we don’t have control over how an outside person or group manages our information, HIPAA requires that we get assurances that they will manage the information to HIPAA standards through the execution of a Business Associate Agreement contract.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Purposeful Contact vs. Accidental or Incidental Contact
A not-totally-obvious conclusion that follows from the above perspective on Business Associates is that BAs are people or companies whose relationship to the clinical practice is specifically intended to include the handling of protected health information.
For example, at Person Centered Tech, we commonly get asked if cleaning services are Business Associates. They have the potential to contact client information and may even manage resources that contain records (e.g. moving file cabinets around in order to clean behind and under them.) The cleaning crew’s potential contact with information is what is called “accidental or incidental.” Because of that, they are not a HIPAA Business Associate. After risk analysis, you may note that some kind of confidentiality agreement with the service is called for. However, that is a very different beast from a Business Associate Agreement.
What About the “Conduit Exception?”
Sometimes companies will claim that no BAA is necessary because they never hold on to your information. They sometimes state that the information is encrypted and that they don’t have the encryption keys (so they can’t read it.) Or they’ll state that they delete the information after you’re done with it. We have been asked many times at Office Hours about such companies, and it’s very rare that they are correct in asserting that no BAA is necessary in order to use them.
Most of these companies are claiming that no BAA is necessary because of the “conduit exception” to the Business Associate Rule. We won’t go into the details of it here, but you can read Rob Reinhardt’s article on the conduit exception here.
We have two concerns that arise when a company claims the conduit exception:
- They are avoiding execution of a BAA contract with you. There are some companies that claim the conduit exception, but they will still execute the contract with you if you ask for it. In that case, they are easier to trust. But a company that wants to handle your client information for you but is avoidant about entering into a BAA may not be a company you want to trust with your information.
- They don’t always understand the details of the conduit exception. We have done many vendor reviews in which a company claims the conduit exception, but we easily found holes in their analysis of the rule. A common error is that the company keeps a record of when you and/or your client accessed the service. This information is protected by HIPAA, and triggers Business Associate status when a company maintains it.
We have seen even more egregious errors in analysis. Unless you already have solid, independently verified reason to trust a given company, we implore you to be wary of trusting any of their analyses that claim you can bypass HIPAA rules by working with them.
Conclusions
Do you use any outside companies (including all your cloud services!) or professionals to perform services wherein they have access to your clients’ personally-identifying information? Do those companies or people follow your practice’s operational policies or do they follow their own? If the answer to that last question is “they follow their own,” consider acquiring a BAA with those people if you don’t already have one.
Learn more about the services and tools we recommend in your practice:
This is Step 1: Service Selection of the PCT Way.
Build your tech stack without fear. Learn More.
Hi Roy,
I am a Licensed Professional Counselor Intern in Texas. I’m having a difficult time discerning if my contract work (I am a contracted employee who provides clinical mental health services and have access to, maintains, and creates PHI) at a Outpatient Mental Health Clinic and at my supervisor’s private practice makes me a part of their “Covered Entity” or if I’m a “Business Associate.” Thus, I am unsure if I need to sign a Business Associate Agreement. I’ve read over the HIPAA laws and I can see the argument for each. Do you have any thoughts or resources that will help me know which category I fall under? Thanks!
Hi Chelsea,
Good question! There are two separate reasons why you are *not* a Business Associate to your supervisor/employer.
1. You are working on-site. People on-site do not have to be treated as Business Associates.
2. You are a health care provider, aka you are eligible to be (and maybe are) a covered entity. When covered entities do their covered entity thing, they don’t also take on Business Associate relationships.
If you acted as a biller or something for your bosses, however, that would be a different story.
My email host refuses to sign an BAA.
We have encryption on both the mail server itself and within transmission of emails (SSL). Do we still need the BAA agreement with them?
The feds have stated a position that any company that stores PHI online is a BA, regardless of the encryption situation. Thus, I have been advising people that they need BAAs with email providers. It’s not necessarily a sensible state of affairs, but it seems to be the one we’re in.
Hi Roy, thanks for all the valuable info you’re giving folks out here!
Question for you. I have a therapist client who has signed up for email and hipaa-compliant hosting at EmailPros. We are developing a WordPress website for her. She asked if we need to sign a BAA.
I don’t know that we will have access to any PHI.
Have you run into this before for web developers?
Thanks.
Hi Becky,
Typically web designers/developers would not be BAs. If you make no contact with PHI, then it’s a moot point.
If there are further details than that, however, then you’re gonna want to get a legal opinions.
Cheers,
-Roy
Hi Roy-
If the BAA is included in the TOS, is this sufficient? I thought I had read it had to be signed (even if electronically), but the company is insisting it’s fine.
Thanks!
Do you have a template for a HIPAA Compliant Business Associate Agreement available for sale or for free? I am an LMFT who is hiring a person to do my billing. thanks
Hi Roy, great blog! If I am a trainer or a nurse for a school and I create and maintain medical records, and I would like to back up my records on Google Apps for education. Two questions: are trainers and nurses “covered entities”? If I sign a BAA with Google apps, can i use it for backup? Thanks!
Hi Rob,
Why not check out our article on covered entity status: https://dev-personcenteredtech.com/2013/05/16/am-i-a-hipaa-covered-entity-how-much-does-it-matter-if-i-am-or-not/
You might also want to read through some of our articles on the process of HIPAA compliance. Our guided reading on the topic is free to Newsletter subscribers: https://dev-personcenteredtech.com/hipaa-security-compliance-in-mental-health-a-guided-reading/
Hello Roy,
I have a question. My clinic uses Google Drive to store documents and files that contain HIPPA info. How can I get a BAA for that?
Hi Jennifer,
Please take a look at https://dev-personcenteredtech.com/2013/11/18/google-and-hipaa-compliance-gmail-drive-and-calendar-now-accessible-for-health-care-professionals/ for all the details about a BAA with Google.
Just dropping in to say THANK YOU!!! You make our lives so much easier, Roy! I appreciate your boatloads of generosity in sharing your tech-brain with us!
Hey, thanks, Tamara! Your support is definitely appreciated, too! :)
Please note that the back-up service provided by Quick Books has a BAA service. You need to contact them to make sure that you get and pay for the correct service. I believe that this is also the case for Carbonite backup services.
Thanks for the tip. We can definitely confirm that about Carbonite. I didn’t know that about QuickBooks, though!
Do I need a BAA for my accountant? They don’t see client names as a general rule, although if a check bounces the client name appears on my checking account statement and they work with that. It seems a bit much to ask for a BAA in this case? Or do I need this confidentiality agreement you mention, and can you direct me to one? Finally, I think I read that I don’t need a BAA from my bank, even though every week they see who writes me a check….Thanks so much Roy.
Hi Marilee,
You’re correct that you don’t need a BAA from your bank, as banks are exempted from the HIPAA rules when performing the basic functions of processing payments. For details please see Roy’s article on Banks & HIPAA
For your accountant, a BAA is strongly advised — even if they don’t see client names as a general rule, their contact with PHI when it does occur wouldn’t be deemed incidental. You can find a link to a great free sample BAA form in Roy’s article on free HIPAA forms and tools.
I am a software company and meet the terms of a business associate under HIPAA. Some of my customers have provided me with a BAA and I have signed it. Others have not. Am I obligated to execute a BAA with these covered entities if they neglect to do so, or is it their responsibililty?
Hi Kalon,
If you’re running up against this issue, you may wish to speak to your attorney. We also do consultation for software providers and can probably help. This specific question calls for legal advice, though.
Best,
-Roy
Hi Roy! I’m a lactation consultant (IBCLC) and also author of a book and resources for IBCLCs called Paperless Private Practice for the IBCLC. I recommend your resources all the time. A question came up recently in my FB group and I am going in circles trying to answer it. Hoping you can provide some insight.
If I am using a cloud-based EHR/EMR that is a HIPAA-covered entity because it offers an integrated insurance billing service, do I need a BAA with them?
Thank you!
and just posting this because I forgot to check the notification boxes and I don’t want to miss the response
You definitely need a BAA with EMR and billing services both. :)
Thank you for this Roy! I work at a drug rehab and we are wanting to bring a free guest speaker on campus, she will obviously be meeting the clients. Does she need to sign a BAA?
Hi Victoria! Thanks for reading our article. This is the perfect example of a question for our Office Hours. A membership benefit that allows you to ask our HIPAA experts all of your nuanced questions on a weekly basis. Check out membership here.
Hi!
I have an administrative BA definitons question.
I work as a contractor for an agency that services a contract providing services to a large organization. AKA My CEO is the administrator/awardee of the contract and I am a contractor to both her and the large organization.
What is the definition of my CEO / Administrator as it relates to BAA/HIPAA/Confidentiality? And my fellow professional team?
Is the CEO a business associate, the covered entity, or something else?
I am trying to find clarification regarding confidentiality with regard to how we communicate and share information with each other. i.e. Do we all need BAA’s to communicate information or are we considered the same covered entity?
Thank you so much!
Hello, Kristen.
Thanks for reaching out on this topic. If you would like additional support on this topic Person Centered Tech offers membership and consultation services. You can learn more about membership here: https://dev-personcenteredtech.com/person-centered-tech-support/ You can learn more about consultation services here: https://dev-personcenteredtech.com/web-consulting-services-and-fees/consulting-for-mental-health-professionals/