Business Associates and Beyond: What Every ABA Agency Needs to Know About Business Associates

If you’re involved with compliance or quality assurance for your ABA agency, you’ve probably heard the term “Business Associate” tossed around in HIPAA conversations. But what exactly does it mean, and how does it apply to you and your agency? What are the compliance risks involved, and how can you successfully navigate those risks? Let’s break it down in plain language.

What’s PHI?

PHI stands for Protected Health Information — that’s any information about a client’s health, treatment, or payment for services that can identify them.

What’s a Business Associate?

A Business Associate is anyone outside your agency who helps you with services that involve them accessing PHI. In other words, if someone outside your organization uses, receives, or stores your clients’ PHI on your behalf, they’re probably a Business Associate of your agency.

Examples of Business Associates:

• Your billing company that submits claims for you.

• The IT provider who hosts or maintains your electronic health records system.

• An attorney who looks over contracts that include PHI.

• A shredding company that handles documents with PHI.

• A cloud storage provider that stores PHI for your agency.

• A telehealth platform that transmits session data.

• A consultant who reviews clinical records as part of their work.

Examples of Who’s Not a Business Associate:

• Your employees (HIPAA treats employees differently than third parties).

• The U.S. Postal Service or a courier delivering mail — they’re considered conduits, not Business Associates.

• A plumber fixing your office sink (even if they walk by your file cabinet — they’re not using or storing PHI).

• An internet service provider that simply gives you an internet connection without storing or accessing PHI.

• A financial institution that processes payments without accessing PHI.

Decision Tree: Is This Person or Company a Business Associate?

1. Are they employees of your agency?

• Yes → Not a Business Associate.

• No → Continue to question #2.

2. Do they perform a service for your agency that involves access to PHI?

• No → Not a Business Associate.

• Yes → Continue  to question #3.

3. Are they only delivering items without storing or accessing PHI (like the postal service)?

• Yes → Not a Business Associate.

• No → Continue to question #4.

4. Are they providing services (like IT, billing, cloud storage, legal, or consulting) where PHI is used or stored on your behalf?
   1. Yes → They’re a Business Associate! Time for a Business Associate Agreement (BAA).
   2. No → They’re likely not a Business Associate and don’t need a Business Associate Agreement (BAA).

If you’re ever unsure whether someone’s a Business Associate, just ask yourself: Are they doing something for us that involves PHI? If the answer’s yes, it’s time to draft or review that BAA.

What’s a Business Associate Agreement (BAA)?

A BAA is a legally required contract between you and any Business Associate. BAA’s aren’t optional. You have to have them. BAA spells out how the Business Associate can use PHI you provide them and how they must protect that PHI. If you’re sharing PHI with a third party, you’ve got to have a BAA in place before you share any PHI with them — no exceptions.

The Essential Elements of a BAA:

• A clear description of permitted and required uses of your clients’ PHI.

• This section of a BAA outlines exactly how the Business Associate is allowed to use or disclose your clients’ Protected Health Information (PHI). These uses must relate only to the services they’re providing to your agency and must be necessary to perform those services. Any use outside of what’s described here — like using PHI for their own marketing or other clients — isn’t allowed unless specifically authorized by you in writing.

• A promise that the Business Associate won’t use or disclose your clients’ PHI beyond what’s outlined.

• This means that the Business Associate agrees to only use or share protected health information (PHI) as specifically allowed in the agreement. They can't use the information for their own purposes or disclose it to others unless the BAA or law permits it. This protects client privacy and limits risk by keeping PHI use tightly controlled and purpose-specific.

• Requirements for safeguarding your clients’ PHI.

• This section outlines the specific safeguards the Business Associate must have in place to protect the confidentiality, integrity, and availability of your clients’ PHI. This includes things like secure data storage, encryption, access controls, staff training, and security policies to prevent unauthorized access, use, or disclosure of PHI. The goal is to ensure that your clients’ PHI is protected at all times, whether it's being stored, transmitted, or accessed.

• Procedures for reporting breaches or unauthorized disclosures of your clients’ PHI.

• This section outlines what the Business Associate has to do if they accidentally lose, share, or access PHI in a way that isn’t allowed. It should clearly state how quickly they must notify your agency (usually within a set number of days), who they should contact, and what information they must provide about the breach — like what happened, what PHI was involved, and what steps they’re taking to fix it and prevent it from happening again.

• Terms about what happens to your clients’ PHI when the agreement ends (usually requiring the return or destruction of PHI).

• This section explains what the Business Associate must do with any of your clients’ PHI they may still have once the agreement ends. Usually, it means they must either return the PHI to your agency or securely destroy it so it can’t be accessed or recovered. This helps ensure that client information isn’t left sitting with someone who no longer has a reason to access it — protecting your clients’  privacy and reducing your risk.

• Allowing the Department of Health and Human Services (HHS) to audit the Business Associate if needed.

• This section of the BAA ensures that the Business Associate agrees to cooperate with any official investigation or audit by HHS. This typically involves giving HHS access to records, practices, systems, or policies related to how the Business Associate uses, safeguards, or discloses Protected Health Information (PHI). This clause ensures that regulatory authorities can verify compliance with HIPAA rules if a complaint, breach, or random audit arises.

Why This Matters

Getting this right really matters for protecting your clients’ privacy and avoiding costly HIPAA violations. It also builds trust with your families and staff — and that’s something none of us can afford to overlook.

ABA Compliance Solutions’ Recommendations for Steps You Should Consider Taking Regarding Your Business Associates and Vendors 

1. Identify Your Business Associates

1. Review all of the vendors, contractors, and service providers your agency works with.

2. Use our decision tree to determine which vendors, contractors, or service providers qualifies as a Business Associates

1. Examples to consider: billing services, IT support, EHR vendors, telehealth platforms, legal services, accounting services, cloud storage providers, legal consultants, and record reviewers.

2. Inventory Your Agency’s Existing Business Associate Agreements (BAAs)

1. Make a list of all existing BAAs you currently have in place.

2. Match each BAA to the corresponding vendor or service provider.

3. Review Your BAA’s for Necessary Components

1. Ensure each of your BAA’s includes:

1. Permitted uses of PHI

2. Restrictions on use/disclosure

3. Safeguarding requirements

4. Breach notification protocols

5. Termination procedures (return/destruction of PHI)

6. HHS audit permissions

4. Create or Update Missing BAAs

1. If any Business Associates are missing BAAs, draft and execute them immediately.

2. Update outdated BAAs to reflect current HIPAA rules and your operational practices.

5. Train Key Staff

1. Ensure compliance and admin staff understand:

1. Who qualifies as a Business Associate

2. The importance of having a BAA before sharing PHI

3. How to apply the decision tree from the newsletter

6. Implement a Business Associate Tracking System

1. Use a simple spreadsheet or compliance tool to track:

1. Vendor name

2. Service type

3. PHI access (yes/no)

4. BAA status (in place/missing/review needed)

5. Review dates

7. Schedule Regular BAA Audits

1. Set a recurring calendar reminder (probably every 6 or 12 months) to:

1. Reassess relationships

1. Is a contractor now a business associate?

2. Is a former business associate not one anymore because they no longer need access you your clients’ PHI to do their work for you?

2. Update BAA’s as needed

3. Ensure that you have current, signed BAA’s for any vendor who’s accessing your clients’ PHI

8. Communicate with Your Vendors

1. Notify vendors that you’ve classified them as Business Associates (if they aren’t already aware).

2. Share expectations around handling and securing your clients’ PHI.

3. Send updated or new BAAs for review and signature.

We’re all in this together when it comes to compliance and quality assurance. If you’d like help reviewing your agreements or figuring out who your Business Associates are, don’t hesitate to reach out!