If you manage your own healthcare practice, you’re probably aware that you should comply with HIPAA.
You might also know that you need to get business associate agreements (BAAs) for services like telehealth providers or accountants. HIPAA requires it.
But if you’re unsure if you need to get one for using a particular service – don’t worry! We can help.
This article spells it out for you – what you need to know to confidently choose providers while supporting your HIPAA compliance.
We know a deep dive into HIPAA isn’t how you want to spend your day, so we’ve kept it simple.
Let’s get started… here are the nuts and bolts of BAAs.
First, let’s figure out if you need to read this article. The big question to ask yourself is: do I handle protected health information (PHI)?
PHIInformation that relates to:
Examples of PHI:
|
Then ask yourself if you’re a covered entity. You most likely are if you’re a healthcare practitioner.
If you’re a covered entity and you hire a business for services that involve your clients’ PHI, that business is called a “business associate.”
|
Covered entity (CE) E.g., physician, therapist, optometrist, dentist, chiropractor, physical therapist |
Business associate E.g., encrypted email provider, accountant, billing service, attorney, telehealth service |
|
|
| Needs to obtain a BAA from vendors if they handle PHI | Needs to provide a BAA to a covered entity |
Suppose you aren’t technically a covered entity. You don’t take insurance and you keep your records on paper or in a file on your computer and don’t transmit them electronically. In that case, you might still want to act as if you are to comply with your professional code of ethics.
Even if you don’t send PHI online, if you keep client records on your computer, you could be at risk for a data breach. This is when confidential information falls into the wrong hands.
In the event of a breach, you could be held accountable under state laws (even if you aren’t a HIPAA covered entity). It helps if you can show compliance with HIPAA since state courts are increasingly using it for their standards.
If you have any doubt if you need a BAA from a particular business, talk to your attorney or your professional organization.
Now that you know if you’re responsible for having BAAs let’s find out what these agreements are about.
A BAA is a signed document where the business associate takes on the responsibility to keep your clients’ information safe and explains how it will do so. It also outlines the steps they will take in the case of a breach.
HIPAA requires that you get a BAA from every business that could have access to your clients’ PHI.
For example, you might employ an accountant who has access to your clients’ names, account numbers, services rendered, etc. HIPAA requires them to sign a BAA agreeing to protect all of that PHI.
And they need to have safeguards in place to do so. Such as…
Here’s the information you need to make sure is in your BAA:
In many cases, the business will have a BAA ready to go.
Note: some businesses might call it something different (e.g., business associate amendment).
Sometimes, you might have to provide them with a BAA template. However, don’t be tempted to grab the first template you find. A BAA has to address the unique circumstances of your practice. It’s a good idea to have your attorney review the template before you use it.
Our BAA has worked well for us for small to medium-sized healthcare practices. If you’re curious what an actual BAA looks like, this is one we sign with our customers at Hushmail:
Or you can also take a look at this sample BAA from the Office of Civil Rights (OCR).
Does everyone who handles your clients’ PHI need to sign a BAA? For the most part, yes. But there are some limited exceptions that you should be aware of.
BAAs are a fairly straightforward matter. However, as with anything concerning HIPAA, people can make mistakes. Let’s look at issues that have tripped up practitioners in the past.
An email service is a good example of this. You’re not asking the vendor to do anything with the PHI except pass it on to the recipient. However, the PHI is in the email provider’s “hands” for some time. Therefore, a BAA must be on record stating that they’ll take responsibility for keeping it safe.
Take care to choose a template that represents what your practice needs. For example, a BAA written for a large medical practice might not work for a small private practice.
Keep in mind that the BAA also mentions your responsibilities in the relationship. When you sign the BAA, make sure you know what you’re agreeing to.
Signing a BAA is just the final step in vetting a new business. Research and ask questions before you sign to make sure they’re willing and able to keep your PHI safe. Some things you might ask about:
At Hushmail, we address all of these points in our HIPAA and security checklist. It’s worth checking to see if other businesses will give you a similar document.
This research might seem like a lot of extra work. However, it’s worth the effort to make sure you’re hiring a business that can back up its promises of security. And it’s part of completing your own risk assessment, which you’ll read more about below.
Just because you signed a BAA doesn’t automatically mean you’re HIPAA compliant. Most likely the BAA will help to cover you if there’s a breach. However, if it’s clear you didn’t research the service at all, you could be held responsible. It’s important to to feel satisfied that the service can follow through on their promises to keep your clients’ information safe.
Thoroughly researching the businesses you use should be part of your annual risk assessment. Did you know regular risk assessments are a HIPAA requirement? They are. In fact there are multiple cases of practices being fined large amounts for not having this bit of housekeeping in place.
If you’re not already conducting regular risk assessments, it’s time to start. Don’t worry. A risk assessment doesn’t have to be complicated.
We’ve written a guide to walk you through the steps.
Enter your information to receive our risk assessment guide.
As you grow your practice and need to hire additional services, it might seem more expensive to get the paid subscription that includes the BAA. However, when you look beyond the sticker price at the big picture, that isn’t necessarily the case.
For example, you might want to switch from a fax machine to an online fax service. The free service doesn’t offer a BAA, and the service that provides a BAA requires a subscription.
Understandably, you want to weigh the costs. Let’s look at the bottom line – what might happen if you don’t have a BAA on file?
First, you aren’t HIPAA compliant if you don’t have BAAs for your vendors that touch PHI.
It’s that simple.
Here’s what you could encounter if you’re investigated and found to be missing BAAs:
All of this is expensive and time consuming.
Consider your promise to your clients to protect their information. If you’re hiring vendors and not getting BAAs, you can’t back up your promise of privacy and security.
Without BAAs, if your clients’ data is lost, stolen, or misused, you’re responsible.
BAAs ensure you and your vendors are working together to protect your clients’ information. That alone is reason enough to get them signed. But the other big reason is the one that affects your bottom line – hefty fines.
Here’s one example of how important it is to get a BAA from every vendor that comes in contact with PHI.
In 2013, OCR investigated an orthopaedic clinic in North Carolina after a breach was reported. They discovered that the clinic was giving X-ray films to a vendor to digitize in exchange for recovering the silver from the films. No BAA was in place even though the X-rays included the PHI of 17,300 patients. The oversight cost the clinic $750,000.
If you have any doubt about whether a vendor needs a BAA, just ask yourself this question: Could they come in contact with PHI in any way. If the answer is yes, then they need to sign the agreement.
Now let’s look at what happens if you don’t get that BAA.
Penalties range from a slap-on-the-wrist to six and seven (or even eight!) figure fines. They’re separated into four tiers based on the following considerations:
| Description | Minimum Fine per violation | Maximum Fine per violation | |
| 1 | Unknowing. You weren’t aware of the rule and couldn’t have realistically avoided the violation. | $141 | $71,162 |
| 2 | Reasonable cause but not willful neglect. You should have been aware of the rule and able to avoid committing the violation but committed the violation due to reasonable cause, not “willful neglect”. | $1,424 | $71,162 |
| 3 | Willful neglect. You ignored your responsibilities (“willful neglect”) but attempted to correct the violation within 30 days. | $14,232 | $71,162 |
| 4 | Willful neglect and not timely corrected. You ignored your responsibilities and haven’t attempted to correct the violation within 30 days. | $71,162 | $2,134,831 |
At this point we’ve covered pretty much everything you need to know about BAAs. However, if we’ve missed something, let us know, and we’ll answer your questions the best we can in this FAQ section. Here are a few lingering questions you might have now:
Employees don’t need to sign a BAA. However, it’s crucial that you train employees to keep PHI safe. Also, you should put some system in place that holds employees accountable if they mishandle PHI. These rules should be included in an employment agreement along with your practice’s NDA.
A BAA is an agreement between you and a business associate. A business associate subcontractor agreement (BASA) is an agreement between the business associate and another service that might handle your clients’ PHI. For example, a shredding company or risk management consultant.
A BAA is an agreement entered into specifically to protect PHI. As such, it lists safeguards for that purpose. It also outlines steps to take in case of a breach or other situations that could compromise the PHI. A non-disclosure agreement simply requires the signer to keep certain information confidential.
HIPAA does not require NDAs, but it does require BAAs.
If you're using email to communicate with your clients, you need to sign a BAA with your email service. The same goes for the online forms you use to collect information. If you don't have a BAA, you aren’t HIPAA compliant, and you could face fines, ongoing monitoring, and damage to your reputation.
Hushmail provides a secure email service for healthcare professionals, complete with a BAA that comes with the plan.
We also include secure web forms under the same BAA. Your clients can fill out and sign all of your practice forms online and send them back to you through our email. That means no more printing out forms, struggling to read bad handwriting, or scanning them into your system.
With Hushmail, you can assure your clients their information is safe and secure.