In healthcare, protecting patient information is mandatory, and HIPAA sets specific guidelines to ensure that protected health information (PHI) remains secure, including with business associates. But what happens when there’s only incidental or inadvertent contact with PHI? In these cases, a BAA is generally not required.
A business associate is any person or organization that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity, like billing, data storage, and IT support. A BAA is required in these cases to outline how the business associate must handle PHI in compliance with HIPAA’s data protection standards.
However, when contact with PHI is merely incidental, a BAA is often unnecessary. As the Department of Health and Human Services (HHS) explains, “A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.”
Read more: What does it mean to be a business associate?
Incidental exposure refers to situations where a person might unintentionally see or hear PHI as a by-product of performing their job. For example, janitorial staff cleaning a healthcare facility might see PHI while taking out the trash. Since their role doesn’t involve using or accessing PHI directly, this limited exposure doesn’t require a BAA. The HHS clarifies, “Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform...does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties...is limited in nature, occurs as a by-product...and could not be reasonably prevented.”
This distinction applies to other roles as well, such as maintenance workers who might incidentally see PHI while fixing equipment or receptionists who overhear PHI while working at the front desk. The HIPAA privacy rule permits these incidental disclosures, as long as they are unavoidable and occur as a natural outcome of permitted activities.
A BAA becomes necessary when a business associate’s duties go beyond incidental contact and involve active handling of PHI. For example, services like document shredding or IT support—which routinely involve direct access to PHI—do require a BAA. The HHS notes, “If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate.”
In situations where services are performed under the direct control of the covered entity—such as on the entity’s premises—the privacy rule allows the covered entity to treat these services as part of its workforce. In such cases, “the covered entity need not enter into a business associate contract with the service,” according to HHS.
Failing to establish a BAA when it’s required can lead to serious consequences. Without a BAA, a covered entity may be liable if a business associate mishandles PHI, exposing them to potential penalties, legal repercussions, and damage to their reputation. Patients trust healthcare providers to protect their information, and any breach of that trust can have lasting impacts.
Related: What is a business associate agreement?
When working with third-party organizations, healthcare providers should take steps to manage both incidental exposure and business associate relationships:
A business associate contract outlines the responsibilities of business associates in handling PHI, and ensuring compliance with HIPAA.
A BAA is not required when the person or organization’s contact with PHI is purely incidental, as HHS notes: “A business associate contract is not required...where any access to protected health information by such persons would be incidental, if at all.”
Without a BAA, covered entities risk penalties, legal action, and potential loss of patient trust if a data breach occurs.
Learn more: HIPAA Compliant Email: The Definitive Guide