If you manage your own healthcare practice, you’re probably aware that you should comply with HIPAA.
You might also know that you need to get business associate agreements (BAAs) for services like telehealth providers or accountants. HIPAA requires it.
But if you’re unsure if you need to get one for using a particular service – don’t worry! We can help.
This article spells it out for you – what you need to know to confidently choose providers while supporting your HIPAA compliance.
We know a deep dive into HIPAA isn’t how you want to spend your day, so we’ve kept it simple.
Let’s get started… here are the nuts and bolts of BAAs.
How to know if you need a BAA
First, let’s figure out if you need to read this article. The big question to ask yourself is: do I handle protected health information (PHI)?
Information that relates to:
- A person’s past, present, or future physical or mental health or condition
- The provision of healthcare to a person
- Payment for a person’s healthcare
Examples of PHI:
- Email address
- Social Security number
- Acknowledgment that a person is your client
- Client notes from a telehealth session
- Recommendations to join a support group
Then ask yourself if you’re a covered entity. You most likely are if you’re a healthcare practitioner.
If you’re a covered entity and you hire a business for services that involve your clients’ PHI, that business is called a “business associate.”
Covered entity (CE)
E.g., physician, therapist, optometrist, dentist, chiropractor, physical therapist
E.g., encrypted email provider, accountant, billing service, attorney, telehealth service
- A healthcare provider, healthcare clearinghouse, or a health plan that…
- Takes insurance
- Or sends PHI electronically
- A business that…
- Provides services to a covered entity
- Handles PHI while providing the service(s)
|Needs to obtain a BAA from vendors if they handle PHI
||Needs to provide a BAA to a covered entity
If you aren’t a covered entity… act as if you are
Suppose you aren’t technically a covered entity. You don’t take insurance and you keep your records on paper or in a file on your computer and don’t transmit them electronically. In that case, you might still want to act as if you are to comply with your professional code of ethics.
Even if you don’t send PHI online, if you keep client records on your computer, you could be at risk for a data breach. This is when confidential information falls into the wrong hands.
In the event of a breach, you could be held accountable under state laws (even if you aren’t a HIPAA covered entity). It helps if you can show compliance with HIPAA since state courts are increasingly using it for their standards.
If you have any doubt if you need a BAA from a particular business, talk to your attorney or your professional organization.
What is a Business Associate Agreement (BAA)?
Now that you know if you’re responsible for having BAAs let’s find out what these agreements are about.
A BAA is a signed document where the business associate takes on the responsibility to keep your clients’ information safe and explains how it will do so. It also outlines the steps they will take in the case of a breach.
HIPAA requires that you get a BAA from every business that could have access to your clients’ PHI.
For example, you might employ an accountant who has access to your clients’ names, account numbers, services rendered, etc. HIPAA requires them to sign a BAA agreeing to protect all of that PHI.
And they need to have safeguards in place to do so. Such as…
- A secure way to store records
- Anti-virus software to protect files
- A secure email service to send documents safely
Business Associate Agreement requirements
Here’s the information you need to make sure is in your BAA:
- How the business will use your clients’ PHI
- What their responsibilities are in the event of a breach
- A statement that the business will take steps to keep PHI safe
Find a good Business Associate Agreement template
In many cases, the business will have a BAA ready to go.
Note: some businesses might call it something different (e.g., business associate amendment).
Sometimes, you might have to provide them with a BAA template. However, don’t be tempted to grab the first template you find. A BAA has to address the unique circumstances of your practice. It’s a good idea to have your attorney review the template before you use it.
Our BAA has worked well for us for small to medium-sized healthcare practices. If you’re curious what an actual BAA looks like, this is one we sign with our customers at Hushmail:
Or you can also take a look at this sample BAA from the Office of Civil Rights (OCR).
Exceptions to the BAA requirement
Does everyone who handles your clients’ PHI need to sign a BAA? For the most part, yes. But there are some limited exceptions that you should be aware of.
- Other healthcare providers when PHI is shared for treatment purposes
- Health plans such as Medicaid
- Health plan sponsors (such as an employer)
- Internet service providers (such as your cable company)
- US Postal Service
- Other courier services
Common BAA mistakes
BAAs are a fairly straightforward matter. However, as with anything concerning HIPAA, people can make mistakes. Let’s look at issues that have tripped up practitioners in the past.
Not recognizing when electronic PHI passes through a service (even if you don’t actively hand it over)
An email service is a good example of this. You’re not asking the vendor to do anything with the PHI except pass it on to the recipient. However, the PHI is in the email provider’s “hands” for some time. Therefore, a BAA must be on record stating that they’ll take responsibility for keeping it safe.
Relying on a BAA template without reviewing it carefully
Take care to choose a template that represents what your practice needs. For example, a BAA written for a large medical practice might not work for a small private practice.
Keep in mind that the BAA also mentions your responsibilities in the relationship. When you sign the BAA, make sure you know what you’re agreeing to.
Not assessing a business thoroughly enough before signing a BAA
Signing a BAA is just the final step in vetting a new business. Research and ask questions before you sign to make sure they’re willing and able to keep your PHI safe. Some things you might ask about:
- Risk assessments
- Safeguards to protect PHI
- Policies and procedures
- Any history of data breaches and how they handled them
At Hushmail, we address all of these points in our HIPAA and security checklist. It’s worth checking to see if other businesses will give you a similar document.
This research might seem like a lot of extra work. However, it’s worth the effort to make sure you’re hiring a business that can back up its promises of security. And it’s part of completing your own risk assessment, which you’ll read more about below.
Expecting a signed BAA to guarantee HIPAA compliance
Just because you signed a BAA doesn’t automatically mean you’re HIPAA compliant. Most likely the BAA will help to cover you if there’s a breach. However, if it’s clear you didn’t research the service at all, you could be held responsible. It’s important to to feel satisfied that the service can follow through on their promises to keep your clients’ information safe.
Thoroughly researching the businesses you use should be part of your annual risk assessment. Did you know regular risk assessments are a HIPAA requirement? They are. In fact there are multiple cases of practices being fined large amounts for not having this bit of housekeeping in place.
If you’re not already conducting regular risk assessments, it’s time to start. Don’t worry. A risk assessment doesn’t have to be complicated.
We’ve written a guide to walk you through the steps.
Enter your information to receive our risk assessment guide.
Is a BAA really necessary?
As you grow your practice and need to hire additional services, it might seem more expensive to get the paid subscription that includes the BAA. However, when you look beyond the sticker price at the big picture, that isn’t necessarily the case.
For example, you might want to switch from a fax machine to an online fax service. The free service doesn’t offer a BAA, and the service that provides a BAA requires a subscription.
Understandably, you want to weigh the costs. Let’s look at the bottom line – what might happen if you don’t have a BAA on file?
First, you aren’t HIPAA compliant if you don’t have BAAs for your vendors that touch PHI.
It’s that simple.
Here’s what you could encounter if you’re investigated and found to be missing BAAs:
- Ongoing monitoring requiring risk assessments and regular reports
- A hit to your reputation
All of this is expensive and time consuming.
Consider your promise to your clients to protect their information. If you’re hiring vendors and not getting BAAs, you can’t back up your promise of privacy and security.
Without BAAs, if your clients’ data is lost, stolen, or misused, you’re responsible.
Penalties for Business Associate Agreement failures
BAAs ensure you and your vendors are working together to protect your clients’ information. That alone is reason enough to get them signed. But the other big reason is the one that affects your bottom line – hefty fines.
Here’s one example of how important it is to get a BAA from every vendor that comes in contact with PHI.
No BAA from service that harvests silver from x-rays
In 2013, OCR investigated an orthopaedic clinic in North Carolina after a breach was reported. They discovered that the clinic was giving X-ray films to a vendor to digitize in exchange for recovering the silver from the films. No BAA was in place even though the X-rays included the PHI of 17,300 patients. The oversight cost the clinic $750,000.
If you have any doubt about whether a vendor needs a BAA, just ask yourself this question: Could they come in contact with PHI in any way. If the answer is yes, then they need to sign the agreement.
Penalties for neglecting to get your BAAs
Now let’s look at what happens if you don’t get that BAA.
Penalties range from a slap-on-the-wrist to six and seven (or even eight!) figure fines. They’re separated into four tiers based on the following considerations:
- How many patients were affected and the extent of the damage
- How much you blatantly ignored your responsibilities
- How quickly you attempted to fix the problem
1 OCR can choose to waive a financial penalty for cases where the practitioner could not have been expected to avoid a data breach. The above penalty amounts are an estimate. Amounts are adjusted each year for inflation.
||You weren’t aware of the rule and couldn’t have realistically avoided the violation
||Minimum fine of $100 per violation up to $50,0001
||You should have been aware of the rule but didn’t ignore your responsibilities on purpose
||Minimum fine of $1,000 per violation up to $50,000
||You ignored your responsibilities but have attempted to correct the violation
||Minimum fine of $10,000 per violation up to $50,000
||You ignored your responsibilities and haven’t attempted to correct the violation
||Minimum fine of $50,000 per violation
At this point we’ve covered pretty much everything you need to know about BAAs. However, if we’ve missed something, let us know, and we’ll answer your questions the best we can in this FAQ section. Here are a few lingering questions you might have now:
Do employees need to sign a BAA?
Employees don’t need to sign a BAA. However, it’s crucial that you train employees to keep PHI safe. Also, you should put some system in place that holds employees accountable if they mishandle PHI. These rules should be included in an employment agreement along with your practice’s NDA.
BAA vs BASA – what’s the difference?
A BAA is an agreement between you and a business associate. A business associate subcontractor agreement (BASA) is an agreement between the business associate and another service that might handle your clients’ PHI. For example, a shredding company or risk management consultant.
BAA vs NDA – what’s the difference?
A BAA is an agreement entered into specifically to protect PHI. As such, it lists safeguards for that purpose. It also outlines steps to take in case of a breach or other situations that could compromise the PHI. A non-disclosure agreement simply requires the signer to keep certain information confidential.
HIPAA does not require NDAs, but it does require BAAs.
Get a BAA from your secure email and form services
If you're using email to communicate with your clients, you need to sign a BAA with your email service. The same goes for the online forms you use to collect information. If you don't have a BAA, you aren’t HIPAA compliant, and you could face fines, ongoing monitoring, and damage to your reputation.
Hushmail provides a secure email service for healthcare professionals, complete with a BAA that comes with the plan.
We also include secure web forms under the same BAA. Your clients can fill out and sign all of your practice forms online and send them back to you through our email. That means no more printing out forms, struggling to read bad handwriting, or scanning them into your system.
With Hushmail, you can assure your clients their information is safe and secure.