So what is a BAA? A BAA, or Business Associate Agreement, is a contract between a HIPAA-covered entity, such as a registered dietitian who handles protected health information (PHI), and a business associate, or any company that has access to, and regularly works with, PHI. A BAA agreement is legally mandated by the HITECH Act of 2009.

Why Do You Need a BAA?

The main focus of a BAA in healthcare is to hold business associates (BAs) accountable for HIPAA non-compliance and to establish a plan if PHI is leaked.

‍

Who Needs a BAA Under HIPAA?

Business associates may be hard to identify. For dietitians and nutritionists, the most common business associates are:

• Your EHR platform, like Healthie
• Videoconferencing software
• A clearinghouse that files insurance claims

BAAs may be completely foreign to you, but you shouldn’t worry if you’ve never worked with them.

Is a BAA Necessary?

Having a BAA is not essential to run your private practice, however your business attorney will likely ask for you to request one. They want to ensure that you have all of the legal paperwork in place to protect you, your clients and your business.

Practices that use only manual scheduling and physical billing have no need for BAAs because no software is used. However, most private practices these days use some type of platform, like Healthie, and BAAs are necessary.

How do I know if the technology I’m using is HIPAA-compliant?

When it comes down to HIPAA-compliant software, you have two options. Both require a BAA, but these 2 options are very different.

1. Non-compliant “freemium” services, like Skype, Gmail, and Google Drive. These are easy to use and widely available. However, the basic service is not HIPAA-compliant. You must enter a BAA with the company and pay a fee in order to be legally compliant!
2. Fully HIPAA-compliant services, including EHRs like Healthie. Healthie is fully compliant and covers a wide range of services beyond just storing PHI. For example, Healthie includes unique food logging and metric tracking, easy-to-create superbills, and videoconferencing! Websites that are always compliant, regardless of what type of plan you have, are much safer than your average “freemium” plan.

What Happens When Business Associates Violate HIPAA Regulations?

Criminal penalties for HIPAA violations can be severe. If the violation was willful, the criminal penalty can range from $50,000 to $250,000.

What should a BAA include?

• Well-Defined Terms. All contracts require clear outlines for key terms in order to avoid legal ambiguity. Phrases like “protected health information,” “business associate,” and “HIPAA” have specific definitions. You and your business associate should understand what they mean.
• The Process For Dealing With a Data Breach. How will the BA handle a data breach if it were to occur? This is possibly the most important part of a BAA. As partners, your BA should be just as accountable as you are if a data breach occurs; your contract should reflect this idea.
• How the BA Handles Audits From the Office of Civil Rights (OCR). HITECH specifies that HIPAA-compliant BAs are subject to audits from the OCR. Make sure the BAA details exactly how a BA will report and fix any complaints filed by the OCR.

(If you need some help finding detailed clauses or definitions, check out the Code of Federal Regulations’ section on HIPAA.)

The most important thing to remember about BAAs is that they are contracts. They must be as well-written and legally protective as any other contract.

For current Healthie members: you can view a copy of  Healthie’s Business Associate’s Agreement (BAA) here.