Business Associate Agreements:
Do We Really Need Them?

I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”

This is not only wrong, it’s SCARY wrong. If you don’t have a Business Associate Agreement (BAA) with each software company that stores or transmits your clients’ PHI (Protected Health Information), that by itself is a HIPAA violation. This is true even if everything else you’re doing is in perfect compliance. If caught, you could be facing a “willful neglect” penalty and those start at $50K per violation. Claiming ignorance won’t exonerate you. As healthcare professionals, it is our responsibility to understand and implement HIPAA in our practices.

There’s another problem with the scenario above: products can’t be HIPAA Compliant. What determines compliance is a combination of using products that meet HIPAA’s standards PLUS enforcing the HIPAA policies and safeguards you have in place for your practice. Although products do need some way to let you know that, if used correctly, they can contribute to your overall compliance strategy, it would be more accurate for healthcare products to state “Can Be HIPAA-Compliant-If-Your-Policies-Are-Correct-And-Up-To-Date-And-You-Are-Enforcing-Them.” For obvious reasons, products tend to just say they are HIPAA compliant and leave it up to the healthcare professional to understand their role in the compliance equation. However, it’s important to realize that just using a product that advertises HIPAA compliance does NOT automatically make your practice HIPAA compliant. Furthermore, if the product you are using won’t either provide you with their BAA or sign yours, it will never be possible to use that particular product and be in compliance with HIPAA.

Ensuring HIPAA compliance consists of, at a minimum, the two factors below. If you have one but not the other, you are not in compliance:

  • SOFTWARE: Only use software that meets HIPAA’s standards (which includes, among other things, that if the software company stores or transmits PHI, you must have a BAA with them).
  • YOU: Make sure your own HIPAA policies accurately describe your practice, are current, and are enforced.

If you’re a PSYBooks subscriber, you were given a BAA when you first signed up. You can also access it from the program at any time. That means that whether you’re using PSYBooks for your notes, email, billing, scheduling, online file storage, video sessions or any other PSYBooks feature, you’re covered from our end. If you’re concerned about your practice’s HIPAA policies, a good resource is The HIPAA Survival Guide.

(Note: PSYBooks subscribers are eligible for discounts on HIPAA Survival Guide products.)