Between juggling schedules, providing care and marketing, and managing finances, a lot goes into managing a private practice. Thankfully, a variety of organizations and tools help with these demands, but using them requires giving access to protected health information. So, how do you use these resources while ensuring compliance and privacy?
That’s where Business Associate Agreements (BAAs) come in.
What is a Business Associate Agreement?
To understand BAAs, you must first understand HIPAA.
HIPAA applies to covered entities, which include health plans, clearinghouses, and healthcare providers who conduct electronic healthcare transactions. (Not sure you're a covered entity? Check out the Covered Entity Guidance tool at CMS.gov.) This means that the privacy and security provisions that govern your protected health information may not apply directly to the resources you use to help manage different aspects of your practice. That’s why you need the help of business associates, which are vendors, partners or other entities that provide services to or perform functions on behalf of a covered entity.
Because business associates aren't governed by HIPAA like covered entities are, HIPAA requires that covered entities have a BAA with each business associate.
A BAA is a written contract, typically provided by vendors, that:
- Defines how the business associate will use and disclose protected health information
- Implements safeguards consistent with the Security Rule to protect health information
- Notifies the covered entity in the event of a breach
- Ensures that all subcontractors of the business associate comply with similar rules
Make sure your BAA policies are in line with the Notice of Privacy Practices (NPP) you provide your clients (referred to as a "HIPAA Agreement" in TherapyNotes™). Also, get an attorney to review the BAA before signing it, since these contracts can vary in content between different business associates.
Do I need Business Associate Agreements?
If you're a covered entity, BAAs are necessary if you elect to use an EHR (like TherapyNotes™) or are in a situation where someone who is not a member of your practice has access to your protected health information (such as telehealth platforms and billing or invoicing services).
For TherapyNotes™ Users: As a business associate for your practice, TherapyNotes™ has developed a BAA to help you adhere to these guidelines. This BAA must be signed and uploaded into TherapyNotes™ in order for your practice to remain HIPAA-compliant. For more information, visit our help center and read Business Associate Agreement (BAA).
However, HIPAA does make some exceptions. For example, you don't need a BAA with the bank to cash a check from your client or with the post office to mail an invoice. But for most activities, you're better served having BAAs in place.
If you’re not a covered entity, though, you’re not required to have BAAs since you’re not governed by HIPAA guidelines. But you may still want to have written contracts with vendors to help ensure they’re held accountable for breaches of client data.
For more information, check out HHS.gov's Business Associates FAQ.* The content of this post is intended to serve as general advice and information. It is not to be taken as legal advice and may not account for all rules and regulations in every jurisdiction. For legal advice, please contact an attorney.