Why a BAA (Business Associate Agreement) is Essential

When a Business Associate Agreement is Essential for Your Website, Hosting and Email Providers

What is a Business Associate Agreement?


A BAA (Business Associate Agreement) is a formal contract between a covered entity (healthcare provider) and a business associate (any organization or person who handles health information on behalf of the covered entity).


The BAA agreement is in place to ensure that the business associate adheres to HIPAA requirements regarding the use and protection of Protected Health Information (PHI).


You’ll be surprised at which companies won’t sign your Business Associate Agreement. Most website agencies and consultants will not accept the liability that comes with a BAA.


Do I Need a Business Associate Agreement for My Website?


If you are a Healthcare Provider or Covered Entity and any of the following applies then a BAA should be in place:


  • Using free or low cost website builders
  • Randomly chosen website hosting
  • Social media buttons
  • Contact forms
  • Click to email buttons
  • Reviews
  • Analytics
  • Appointment scheduling
  • Payment links
  • Questionnaires
  • Telehealth services


Why Do BAA Agreements Apply to Websites & Hosting Providers?


The biggest mistake Healthcare providers are making is to assume their website does not collect ePHI.


Most healthcare providers believe they are not collecting PHI or ePHI directly on their website. This is because they think of PHI as simply medical notes and records.


However, PHI has expanded to cover all forms of ePHI and this applies to all broad information that can be used to identify an individual.


This includes analytics, visitor logs, analytics, email collection, contact forms and all types of data that your website harvests without you even knowing.


If you’re concerned about how your business might be collecting unseen ePHI get a free, comprehensive website review from HIPAA Digital.


Hosting Security of PHI and ePHI Data


The reason lots of website builder companies such as WIX won’t sign a BAA is because they lack the security protocols required for protecting seen and unseen ePHI.


Many web hosting companies won’t sign a BAA either, because their hosting lacks the physical and security safeguards required.


Don’t assume that just because you’re using a big name hosting company that their servers are HIPAA compliant. For example, the GoDaddy basic plan does not come with a Business Associate Agreement, and Siteground will not sign a BAA.


Do I Need a BAA for my Email?


Yes, if you are communicating with clients via email then your email needs to be HIPAA Compliant and you are required to have a Business Associate Agreement in place with your email provider.


Basic Gmail is not HIPAA compliant and using it to send PHI would be a violation. Similarly, even if you use your business domain as an email address it may well lack the physical and technical safeguards required by HIPAA.


It’s not just your email that needs to be secure, you must take steps to protect the data ‘in transit’ which means when you actually send the data via email it is required to be encrypted.


It is straightforward and cost effective to get HIPAA compliant email systems in place, and HIPAA Digital can get you set up quickly and efficiently.


HIPAA Compliant Website Checklist


  • Do you have a valid SSL certificate?
  • Is the website hosted with a HIPAA compliant hosting company?
  • Have you encrypted data at rest and in transit?
  • Are you using HIPAA-compliant web forms?
  • Have you set access controls?
  • Are you recording and monitoring logs?
  • Are you maintaining an audit trail?
  • Have you got signed business associate agreements for all vendors?
  • Are you backing up all PHI?
  • Have you developed policies and procedures for restoring and deleting data?
  • Have you obtained consent from patients before publishing testimonials on your website?
  • Does your website include a notice of privacy practices?
  • Does your website include your HIPAA policy?


HIPAA Digital LLC Sign a Business Associate Agreement


Our BAA underpins everything we do. Not only will me make your website, hosting and email HIPAA compliant, we’ll also give you a free re-design and power your website with local SEO to grow your business, safe in the knowledge you’re placing HIPAA compliance at the forefront of everything you do.


We believe all sizes of healthcare businesses deserve a World Class website at an affordable cost. Our marketing experts will build you a HIPAA Compliant website that ROCKS! Fully SEO Optimized and Ready-to-Go and positioned for success.

Share it :
Get free tips and resources right in your inbox, along with 10,000+ others