When should you ask for a business associate agreement?

A Business Associate Agreement (BAA) is a legal document outlining the responsibilities and obligations of a covered entity - your healthcare organization - and its business associates under HIPAA regulations. And you should ask for a business associates agreement whenever protected health information (PHI) is involved.

Basically, any third-party organization that performs services involving protected health information (PHI) on your behalf is considered a business associate. The BAA is required to ensure that the business associate complies with HIPAA rules and safeguards PHI appropriately.

It's unlikely that your practice or organization is handling every single healthcare activity internally, so you're presumably using multiple business associates to help with any number of tasks.  

Related: Business associate agreement provisions

Who are your business associates?

To recap, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI for a Covered Entity. 

You're probably already aware of these business associates:

1. Telemedicine platforms: Companies that provide telemedicine services to healthcare providers and may have access to PHI related to patient health information.
2. Billing companies: Companies that process medical bills on behalf of healthcare providers.
3. IT vendors: Companies that provide technical support, data storage, or other IT services to covered entities.
4. Transcription services: Companies that transcribe medical dictation for healthcare providers.
5. Shredding companies: Companies that dispose of paper documents containing PHI.
6. Medical equipment vendors: Companies that sell or lease medical equipment to covered entities.
7. Medical waste disposal companies: Companies that dispose of medical waste for healthcare providers and may have access to PHI contained in the waste.
8. Data analytics companies: Companies that provide data analysis services to healthcare providers based on their PHI.

These services typically work with healthcare professionals and are willing, and even expect to, sign a business associates agreement with you. But what about the vendors that don't serve the healthcare industry specifically? Well, if you don't get that agreement, you're at risk. 

Related: What does it mean to be a business associate?

3rd party vendors who should sign a BAA

The HIPAA Privacy Rule Summary states that "when a covered entity uses a contractor or other non-workforce member to perform 'business associate' services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement."

So, if you're a covered entity entrusting PHI to a third party, then a Business Associate Agreement is required by law. 

Here are some less-obvious examples of business associates that should still sign a BAA with your practice:

1. Your email - if you exchange emails with patients, ensure your email is HIPAA compliant. 
2. Online scheduling apps may have access to PHI related to patient appointments.
3. Note-taking apps where you might store patient notes need to be HIPAA compliant.
4. Law firms that have access to PHI contained in legal documents.
5. Accountants might have access to PHI contained in financial records.
6. Cloud storage providers have access to PHI stored in the cloud.
7. Answering services that answer phone calls on behalf of healthcare providers will often come across protected information.
8. Document imaging companies that scan and digitize paper records on behalf of healthcare providers.
9. Translation services that translate medical documents
10. Cleaning services could come across PHI in the track (if not properly disposed of).
11. Courier services that transport lab results should sign a BAA.
12. Human resources services sometimes may have access to PHI if they run background checks or handle employee benefit administration.
13. Marketing agencies if they get the contact information of patients.
14. Web hosting companies will have access to PHI stored on the provider's website.
15. Transcription software vendors that transcribe medical dictation will also need to sign a BAA.
16. Remote IT support companies can access PHI stored on the provider's computer systems.
17. Collections agencies may have access to PHI related to the debt.

Even sending email newsletters could, depending on the content, require encryption and a BAA, so your email marketing must be HIPAA compliant.

Don't risk it

If you don't get a BAA when required, you might face fines, legal liability, and reputation damage. The penalties can be pretty hefty, ranging from $100 to $50,000 per violation and up to $1.5 million per year for identical violations. Additionally, the Office for Civil Rights will often require corrective action plans, which are time-consuming, costly, and disruptive to your organization.

So take some time to identify all third-party service providers who may have access to PHI and ask to enter into a BAA with each one. This will ensure that all PHI is appropriately safeguarded and that the covered entity is in compliance with HIPAA regulations.

If a vendor can't show compliance with HIPAA regulations or refuses to enter into a BAA, work with someone who will provide the necessary assurances and protections for the PHI. It's just not worth the risk. 

Related: 3 common health tech mistakes you need to know