The Low Down on BAAs
In the past I have been asked frequently about Business Associate Agreements, or “BAAs.” Let’s break down the what, why, when, and how of this compliance rule.
What is a BAA?
A “BAA,” or Business Associate Agreement, is a contract between covered entities (who are regulated by HIPAA because of their contact with PHI) and the various providers who may serve them and, as a result, also have contact with PHI. More on those specific “providers” later…
Why do I need a BAA?
Well, in short… to be compliant. But, beyond that, the goal of putting a BAA in place is to protect your clients. The BAA says, essentially, that whomever you allow to access PHI promises to treat it appropriately and keep it secure and private.
When do I need a BAA?
Therapists, as covered entities, should have a signed BAA in place before permitting any 3rd party to have access to client PHI. Therapists often find they need BAAs with people/entities like billers, cloud storage providers, email providers, or practice management system providers.
How can I get a BAA?
There are numerous businesses developing these days to help providers with their HIPAA compliance–organizations that understand HIPAA and what’s required to keep PHI safe and secure. These organizations will sign a BAA–but they probably won’t be free. If you have been relying on services like Gmail, you may find it difficult to acquire a BAA because these free services often won’t take on the liability.
Personally, I use and recommend Google Apps for Business. Google Apps for Business is an affordable Do-It-Yourself way to create a cloud-based practice management system. It also provides you with a HIPAA compliant system for email and a calendar. You can learn more by checking out this short video: https://hipaafortherapists.com/google-apps-for-business/
The language of a basic BAA, as well as a sample, can be found at: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html