You need a Business Associate Agreement with your IT Person (and others)

If you are a dental specialist and have computers in your Practice and have an external IT person that looks after them, you need a HIPAA Business Associate Agreement (BAA) with them.   I know you are squirming and wish this didn’t apply to you, but it’s pretty simple and clear that it does.

You want this – it protects YOU and your Practice.  The BAA is essentially your way to require people that help you with your business must take the care of the Protected Health Information (PHI) they come in contact with.  Nothing evil about this, you just want them to be as careful as you are.  (PHI can be as simple as your patient’s name).

A BAA is not just for your IT people, it also includes any other third party service provider you give access to your Practices PHI.   There could be several of these if you use services like:

  • Any of your Practices software providers that contain PHI if you allow their technical support staff to connect to your computers to allow them to trouble shoot issues (this gives them access to PHI).  These may include:
  • Sesame Communication, Televox or others that reach into your Practice Management (PM) database and siphon out data to use to send patient reminders or other patient communications.
  • Companies that ‘mine’ your PM database to give you performance statistics such as Demand Force, Gaidge, Lighthouse 360 and others.
  • 3D modelling software such as Invisalign, OrthoCAD, Suresmile and others.
  • Patient benefits programs such as Patient Rewards Hub and others.
  • Internet Backup provider such as Carbonite, Mozy, Oak Tree Storage and others.
  • Email provider if your email is hosted externally and you send PHI via email (this will be challenging to get).
  • If you use a company to shred your records and you hand them over to them and they take them somewhere out of your control to do the shredding.  If the company pulls up with a truck and shreds them right in front of you in the parking lot, I’d say that’s different and wouldn’t require a BAA.
    • Is this silly?  Read about the Indiana Dentist that was the first Dentist successfully prosecuted under HIPAA rules because his shredding company screwed him over.  Can you guess who didn’t have a BAA?
  • This isn’t every possible integration in your Practice, if the software just uses the data locally within your business premises and never transmits anything out (via the Internet) then there is no need for a BAA.

You may be noticing that you use several of the service noted above and be puckering up that you don’t have a BAA with most of them.  Hang in there with me, below I will give you easy steps to follow.

And if you are thinking “Just because they have access to my computers doesn’t mean they have access to my data” – Stop it, you’re being silly.   Imagine trying to explain that to a knowledgeable prosecution attorney when the chips are down.  You need BAA’s with your providers.

Figure out who you need a BAA with

This isn’t difficult.  Just stop and think for a few minutes which companies you work with that you give access to your Practices Data.  Then write down the list of who they are.  Put this list in the same place where you keep your completed BAA’s, and incorporate it into your IT Policy (more on this below).

Don’t get wound up at this point worrying about forgetting someone, you can always add them to the list later.  Having most of them is better than none of them.

Contact the Service Providers and ask for a BAA

Most of these companies should be well aware of their clients needs for a BAA under HIPAA rules, and most will already be prepared with a standard BAA they can provide to you.  Just call them and ask for it.  (Let me know if you run into a well known provider that doesn’t offer a BAA to you).

I’d suggest that if the provider has a BAA they want to use, use theirs.   Why?  Imagine you are a large company like Dolphin and you have thousands of clients – their legal department would be overwhelmed reviewing thousands of unique BAA’s.  They should have a satisfactory BAA they can just provide to you to review and sign.  Send them back a signed copy, and file yours.  Job done!

If you contact your provider or IT company, and their response is “What’s a BAA?” this should be a warning flag to you.  If they don’t know what a BAA is, you can be pretty sure they aren’t taking all the necessary precautions to protect your PHI.  Many ‘one man show’ IT shops are in this boat because they can’t be bothered to take the time to learn what’s needed.  These leaves you exposed with the liability.

MME TechnicianIf you are an MME client, we offer a BAA for you ready to use.  You can download it here.  Please review and sign the document where noted as the Covered Entity, and then return a copy to us by one of the following methods:

  • Email:  info@mmeconsulting.com
  • Fax:  (916) 419-1103
  • Regular mail: 4714 Duckhorn Drive, Sacramento, CA 95834

When to get the BAA from a Provider

Ideally you should complete a BAA and have it on file BEFORE you give a service provider access to your Practices data.  As you are contracting a new service, this should be part of the final paperwork – ask them to provide a completed BAA along with the invoice.   If they don’t offer one or are unwilling to sign one, you might want to consider this before completing the purchase.

Keep your BAA’s Organized

Designate one location in the Practice to store the completed BAA’s.  This could be in hard copy in a file drawer or electronically in a folder on your Server.  You should write down where you keep these in your IT Policy manual (more on that below).

Think about this once per Year

This isn’t something you should just do once and then forget about forever.  You may change IT people, or add a new third party service during the year.   One a year have a responsible person in your Practice (perhaps the IT Compliance Officer) take out the list and spend just a few minutes reviewing the companies on it and determine if any should be added or deleted.   For those being added, it’s time to track down BAA’s with them.   I’d probably keep the BAA’s with companies being deleted in case you ever need proof that you had a BAA with them.  Go down the list, and make sure you have a BAA in the folder for every company.

You should document that you performed this annual ‘audit’ of your BAA’s and write down the list and that you checked you had the BAA’s on file.   This could save your bacon someday (mmmmm, bacon).  Keep this completed audit form with the BAA’s.

Add this to your Practices IT Policy

I have been blogging about Practical Steps towards Security, and this topic is one of them.   In a previous post I have outlined the need for maintaining a simple IT Policy document using the example of Maple Leaf Orthodontics.   I have prepared a new section called ‘Business Associate Agreement’ that you can take and incorporate into your policy.  You can download it here.

I have prepared an Annual BAA Review Checklist as well.  This is a simple form to streamline the process of the annual audit so your IT Compliance Officer should be able to complete it in a matter of minutes.  You can download it here.    With a little more effort you can turn the checklist into a Adobe PDF form to make it super easy to fill out and save each year – check out this example.

I have also prepared a sample Business Associate Agreement you can review and consider using something like it with your IT provider.   Read through the document at least once, start to finish (print it out, go to Starbucks and get a Grande Latte, and sit there and read through it start to finish.  It’s not that bad).  You want to understand a bit about it.  To be clear, I make no claim that this document is ideal to serve your needs, and by downloading it you agree and release MME of any liability associated with it or its use.   Use at your own risk.  Ok – enough legalese – you can download the sample BAA here.


Please subscribe to the blog to get a notice of when the next article is posted. Sign up to get updates by email as soon as we add them.


MME TechnicianIf you’d like a little help with your IT Policy and it’s implementation please consider MME, it’s what we do.   We can customize the complete document for the steps applicable to your Practice, and take care of the IT steps to implement them (we are nerds after all).  Just give us a call at 866-419-1102 or check us out online at www.mmeconsulting.com.