HIPAA Applicability Decision Tree

The party that hired you is not a covered entity, and the firm or vendor that hired you is not acting as a business associate of a covered entity in this matter. The medical records you handle may have originated at a hospital or other covered entity, but once they were lawfully released to a non-covered recipient, HIPAA's reach ended.

What does apply:

• State medical confidentiality law (often stricter than HIPAA)
• State breach notification statutes
• State workers' comp confidentiality, where relevant
• Your contract with the hiring party
• Your credentialing body's ethics code

One important caveat. Even though HIPAA does not reach this engagement, the firm or vendor that hired you may still ask you to sign a BAA as a matter of internal policy or client requirement. That request may not be legally required by HIPAA, but you may still choose to sign for commercial reasons. If you do, read it carefully (especially the indemnification clause) before signing. The point of this tool is to help you understand which BAA requests are legally required by the regulation and which are reflexive, not to encourage you to refuse legitimate BAAs.

Pick your state below to see the local rules that fill the gap HIPAA leaves.

Whether HIPAA applies depends on who the firm or vendor represents in this matter. You can ask without picking a fight: "I want to make sure I understand the scope. Is the firm acting as a business associate of one of its clients on this matter, and is any BAA you'd ask me to sign flowing down from that arrangement?"

The answer tells you which path applies:

• Yes, we're a BA of a covered-entity client. The firm represents a hospital, health plan, or covered provider. Treat this as the BA-flow-down case. A BAA from the firm to you is legally required and you should sign it.

• No, we're not. The firm represents a workers' comp carrier, an MSA vendor, an auto insurer, a plaintiff, or a self-insured employer. Treat this as the non-covered case. HIPAA most likely does not reach you. Any BAA you sign would be a matter of firm policy, not regulatory requirement.

Once you have the answer, restart this tool with that information.

The party that hired you (or the covered entity above them in the chain) is regulated by HIPAA, and the regulation requires a BAA before PHI can be disclosed to you. Under 45 CFR 164.502(e), a covered entity may not disclose PHI to a business associate (or, by extension, a subcontractor BA) without satisfactory written assurance that the records will be safeguarded. The BAA is that assurance.

Action: Ask the firm or covered entity for a BAA before any records change hands. They almost certainly have a template. Read it carefully before signing. Pay particular attention to the indemnity, audit, and breach-notification provisions, which are commercially negotiated and often broader than HIPAA itself requires.

Since the HITECH Act of 2009, business associates and subcontractor business associates are directly liable to OCR for HIPAA Security Rule compliance. That means you have to conduct a documented risk analysis, implement administrative, physical, and technical safeguards, train your workforce, and report breaches on the timelines your BAA specifies.

Read OCR's Direct Liability of Business Associates fact sheet for the full list of obligations that apply to you regardless of what your BAA says.

You are directly liable to OCR for the Security Rule. On top of that, every vendor that touches the records you receive under the BAA is your subcontractor under HIPAA, and each one needs its own BAA with you. This is the "flow-down" rule, and most independent consultants ignore it.

Common subcontractors that need a BAA with you:

• Cloud storage and backup providers (Dropbox, Google Drive, OneDrive, AWS)
• Transcription services
• Document management and PDF tooling
• Email providers (where PHI is sent or stored)
• Fax services that store images

Most major providers have a HIPAA-eligible plan with a standard BAA. The free or consumer tier usually does not include one. SecondLook Health signs BAAs with covered-entity clients and is SOC 2 Type II attested.