HIPAA Compliance: What Is a BAA and Why Should I Care?
- David Craig, MD
- February 2, 2017
- October 26, 2023
Even the simplest medical practice is actually fairly complex, and because of this, almost no healthcare organization handles all of its activities internally. With needs ranging from coding to billing to EHR software provision, a typical medical practice will have necessary relationships with at least a few outside companies. The federal government regulates interactions with such “business associates” via HIPAA, and a crucial piece of this regulation is found in the “business associate agreements” (BAAs) that the law mandates.
For this piece, we’re also excited to welcome Dr. Carlene MacMillan of Brooklyn Minds as an expert reviewer and commenter. Practicing in psychiatry, one of the most privacy-sensitive fields of medicine, Dr. MacMillan has developed a uniquely deep understanding of the crucial role that BAAs play in modern healthcare, and we’ll feature her tips and insights throughout the article.
At heart, the BAA requirement under HIPAA is simple for care providers: every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations.1,2
That summation is succinct, but it likely raises a few big questions for you:
- Am I a covered entity?
- Who are my business associates?
- What things have to be in a business associate agreement?
- Why should I care about any of this?
So let’s answer those!
Am I a Covered Entity?
If you are providing healthcare in the United States, you are most likely considered a “covered entity” under HIPAA, which means that you must abide by all of its regulations.
“There are many apps out there that offer high-level encryption for text and video, but all that is useless to me if the company will not sign a BAA.” – Dr. MacMillan
The exact definition of a covered entity is slightly more nuanced, though, and if you want to dig deeper on this, we covered the topic more thoroughly in a previous article. The government also provides useful information, including a flowchart to help you determine your status.
Again, though, if you’re providing healthcare in America, you are safest assuming that you are a covered entity and that you must follow HIPAA.
Who Are My Business Associates?
The short answer is that a “business associate” under HIPAA is any outside person or company that interacts with your organization’s protected health information (PHI).3
As always, the long answer is longer, but it does not change the overall correctness of this rule of thumb for the majority of cases. Notably, the actual language of HIPAA imparts business associate status on any entity that “creates, receives, maintains, or transmits protected health information” on behalf of a covered entity. That set of verbs ensures that basically anybody outside of your organization counts as your business associate if they touch your PHI in any way.
“As an outpatient child and adolescent psychiatrist in private practice, being able to text with patients and use video chat are two aspects of my practice that are directly impacted by the need for a BAA. I do not want patients and families texting me on my personal cell, so looking for a service that would allow that and also sign a BAA was challenging.” – Dr. MacMillan
The government also provides summary guidance on the topic of HIPAA business associates, which gives more exact detail, should you want it. And if you’re wondering whether the phone company or postal service might count as your business associate because you use it to “transmit” PHI, don’t worry: HIPAA prevents this with the “conduit exception,” which we covered in a previous discussion. This exclusion only applies to certain types of transmission, however, so the phone company does indeed become your business associate if you use it for other purposes, such as storing voicemail.
One final important note: if a business associate has its own downstream business associate (a “subcontractor”), then the two organizations must also have a HIPAA-compliant written contract in place between each other. There has to be an intact chain of agreements stretching from the covered entity through to all organizations that touch its PHI. The covered entity itself does not need BAAs with subcontractors, but its business associates must have them.
What Things Have to Be in a BAA?
HIPAA mandates that every BAA contain certain basic elements, and it enumerates these in a good amount of detail.4,5 The major focus of the requirements is to make it explicit that a business associate is just as beholden to HIPAA as is a covered entity, and the totality of the requirements functions as a blueprint that essentially every BAA should follow.
“It is also important to check if all the features of a company you work with are covered by the BAA. For example, the program we use in our practice for email and cloud storage has a BAA covering those aspects but not their VoIP phone service so we use a separate service for phone/video/texting.” – Dr. MacMillan
Helpfully, the government provides sample BAA language that implements these stipulations, which can be used to construct a new BAA or to compare against an existing agreement that you are being offered. While BAAs do not have to use the exact government language, they should all be conceptually similar and have mostly the same pieces.
BAAs may also contain contractual provisions that HIPAA does not require. You should review any BAA carefully before signing it to make sure that it protects you and your organization adequately and that it does not place any undue demands on you or cause you to forfeit any important rights. BAAs are legal documents, and as such, a lawyer may be useful (or vital) in your review of them.
Why Should I Care?
The federal government has the latitude to impose both civil monetary fines and criminal punishments upon individuals and organizations that violate HIPAA. Under the current omnibus HIPAA rules, each violation can incur a penalty of up to $50,000, with repeat violations of the same provision costing as much as $1.5 million per year.
These potential sums are not just theoretical. In a recent case, the government imposed a $400,000 fine on a healthcare organization that could have avoided the punishment by having an adequate BAA in place. The modern healthcare regulatory environment clearly demands that physicians and other providers pay careful attention to HIPAA and its attendant BAAs or else be ready to pay out for the consequences.
Up-to-date and complete business associate agreements are vital to every healthcare organization’s HIPAA compliance plan. If a company will not sign an appropriate BAA with your organization, then you should not trust them with your patients’ PHI. It’s that simple and also that important.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.
Need a BAA for your patient voicemails and messages?
Join thousands of practices that are making communication simple, reliable, and HIPAA-compliant on Spruce. Ready to learn more? Reach out to support@sprucehealth.com. |
References:
- 45 CFR §164.308(b)(3)
- 45 CFR §164.502(e)(2)
- 45 CFR §160.103, definition for “business associate”
- 45 CFR §164.504(e)
- 45 CFR §164.314(a)