Business Associate Agreements for Therapy Practices: Who Needs One and What to Look For
Which vendors need a BAA, what to look for in the agreement, and how to track them for your therapy practice. Full guide.
Business Associate Agreements are among the most commonly misunderstood elements of HIPAA compliance for therapy practices. Most therapists know they need one with their EHR vendor. Far fewer realize that their billing service, telehealth platform, scheduling software, email provider, cloud storage service, and potentially their accountant all require BAAs as well. This guide covers who qualifies as a Business Associate, what a proper BAA must contain, and how to manage them without letting any slip through the cracks.
What Makes Someone a Business Associate
Under HIPAA, a Business Associate is a person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity in the course of performing a function or activity for that covered entity.
The key phrase is "on behalf of." If a vendor provides services to your practice and those services involve any access to PHI, they are a Business Associate. The vendor does not need to be in the healthcare industry. They do not need to be licensed. They do not need to understand HIPAA themselves. If they handle PHI for you, they are a Business Associate and you need a signed BAA before sharing any PHI with them.
The Full List of Vendors That Typically Need a BAA
Most therapy practices are surprised by how many vendors qualify as Business Associates once they think through every system touching patient information.
Your EHR system is the obvious starting point. Most EHR vendors provide a standard BAA as part of their signup process, but verify you have one signed and on file.
Your telehealth platform requires a BAA as well. Consumer platforms like FaceTime and standard Zoom do not offer BAAs. Zoom for Healthcare and several purpose-built telehealth platforms do.
Billing and practice management software that handles claims containing patient information qualifies as a Business Associate. The same applies to scheduling software if it stores patient names and appointment information together in a way that constitutes PHI.
Your email provider needs a BAA if you use Google Workspace or Microsoft 365 for practice email and PHI passes through it. Both Google and Microsoft offer BAAs for their business accounts.
Cloud storage is frequently overlooked. If you store any patient-related documents in Google Drive, Dropbox, Box, or similar services, you need a BAA. Most business tiers of these services offer BAAs; personal tiers typically do not.
Transcription services that process session notes or dictation are Business Associates. Managed IT service providers who have access to your systems and therefore potentially to PHI need BAAs as well.
Accounting and bookkeeping services catch many practices off guard. If your accountant or bookkeeper accesses your billing records and those records contain PHI, they are a Business Associate. The accounting firm does not need to understand or agree with this classification. Your obligation to have a BAA exists regardless.
Collection agencies that receive patient information when you refer unpaid accounts also require BAAs.
What a BAA Must Contain
HIPAA specifies the minimum required elements of a Business Associate Agreement in 45 CFR 164.504(e). A proper BAA must include several key provisions.
Permitted uses and disclosures specify what the Business Associate is allowed to do with PHI. A BAA for your EHR vendor would permit them to store and process PHI in connection with providing their software service. There must also be a prohibition on other uses: the Business Associate may not use or disclose PHI for purposes not listed in the agreement.
A safeguards requirement obligates the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. A reporting requirement means the Business Associate must report any use or disclosure of PHI not provided for by the agreement, including security incidents, to the covered entity.
The subcontractors provision matters as well: if the Business Associate engages subcontractors who will access PHI, they must enter into a BAA with those subcontractors containing the same protections.
Access rights ensure the covered entity can access PHI held by the Business Associate when needed, for example to respond to a patient's request for their records. Amendment provisions require the Business Associate to make PHI available for amendment if directed to do so by the covered entity.
Termination provisions address what happens if the covered entity learns of a material breach: they must take steps to remedy or terminate the relationship. Upon termination, the Business Associate must return or destroy all PHI if feasible.
Red Flags in a BAA
Not every vendor BAA is created equal. Some BAAs offered by vendors are deliberately vague or include provisions that shift inappropriate liability onto you as the covered entity.
Watch for BAAs that do not list specific permitted uses and just say the vendor can use PHI for "business purposes" without defining what that means. Watch for BAAs that do not require the vendor to notify you of security incidents within a specific timeframe. Watch for BAAs that attempt to disclaim all liability for breaches caused by their systems.
You cannot negotiate away the required HIPAA provisions. If a vendor's BAA is missing required elements, that is a compliance problem regardless of what you sign.
When You Cannot Get a BAA
Some vendors will not sign a BAA. Consumer-focused services like personal Gmail, standard Zoom, FaceTime, and most free software tools are not designed for healthcare use and will not offer BAAs. Using these services to transmit PHI without a BAA is a HIPAA violation.
The solution is either to stop using that service for anything involving PHI, or to find an alternative vendor who will sign a BAA. For most common vendor categories, HIPAA-compliant alternatives exist. Switching may involve cost or inconvenience, but it resolves the compliance exposure.
How to Track Your BAAs
The practical challenge with BAAs is not getting them signed initially. It is keeping track of what you have, when BAAs were signed, when relationships with vendors change, and whether there are vendors you forgot.
A BAA tracking system should record every vendor who is a Business Associate, the date their BAA was signed, where the signed document is stored, whether the BAA has an expiration date, and any changes to the vendor relationship that might affect the BAA.
OCR has found in multiple enforcement actions that practices had informal understandings with vendors about data handling but could not produce signed BAA documents. The verbal understanding does not satisfy the written agreement requirement.
BAAs When You Terminate a Vendor Relationship
When you stop using a vendor, the BAA does not automatically end the compliance obligations. Your BAA should require the vendor to return or destroy PHI upon termination of the relationship. Document that you made this request and received confirmation that the data was handled appropriately.
HIPAA Hub's BAA Tracker lets Practice plan users record every vendor relationship, upload signed agreements, and receive automatic alerts before BAAs expire.
Stop losing track of your BAAs. HIPAA Hub gives private practice therapists the tools to identify which vendors need BAAs, track signed agreements, and get alerts before anything expires. Start your free 14-day trial at hipaahubhealth.com.
Disclaimer: This article provides general educational information about HIPAA requirements and does not constitute legal advice. Consult qualified legal counsel for vendor agreement review.