Provided by:  Jennifer Kirschenbaum, Esq.

April 20, 2017



Hi Jennifer,

When do I need a business associate agreement in place and is it a big deal if I don't have one?


Dr. T 


A business associate agreement is necessary any time a third party, that is not also a covered entity, has access or exposure to individually identifiable patient information in your custody.  So, to break it down to practicalities - you need one with your IT person, cleaning company, copier company who is rendering service to a machine that maintains electronic copies of what it copies or scans, billing company, anyone or any party with access to your practice management software. The above list excludes employees that work for you, who would be covered under the employee workforce agreements you had them fill out and handbook terms they have to abide by.  

Failing to have contractual protections in place from third parties with access to patient information in your custody, or from your employees for that matter, means you are exposed - completely open - sitting duck status - for a patient complaint or review by the Office for Civil rights should a third party or employee improperly disclose patient information.  And, failing to have in place proper paper compliance will potentially show willful neglect on your part - which puts you into a punitive category in the government's eyes - resulting in much higher penalties for non compliance. With compliance, the motto from the government is - an ounce of prevention is worth a pound of cure. If you have a good business associate agreement or employment forms, you would have contractually shifted responsibility on the third party responsible...

For flat fee BAAs with risk shifting provisions or employment forms, check out KK Compliance here.