Email and Business Associate Agreements
Your email provider is a vendor that sees patient information — even when you don’t intend it to. The Business Associate Agreementis the contract that makes that legal. Most solo or small practices have a gap here and don’t know it.
Why this chapter exists, in plain English
A therapist we worked with — let’s call her Leslie — believed she was fully covered. She used TherapyNotes for clinical records and had her clients sign an agreement not to share personal health information via email. She thought that was enough.
It wasn’t. Her email provider was personal Gmail, and Google’s free Gmail does not offer a HIPAA BAA. A client agreement doesn’t shift the regulatory obligation — HIPAA holds you, the covered entity, responsible. If a patient emails appointment details, insurance info, or anything about their care to an inbox without a BAA, that’s a potential violation — even if you didn’t ask them to.
In a breach, the Office for Civil Rights doesn’t ask whether you meant to receive PHI by email. They ask whether you had a BAA with the email provider. Without one, penalties start at $100 per violation and can reach $1.5 million per category per year.
The good news: this is one of the most straightforward gaps to close. Let’s figure out where you stand.
Discovery
3 questionsWhich email provider do you use for anything patient-related — scheduling, appointment reminders, follow-ups, or messages from clients?
Do any of your clients ever email you about their care — appointment changes, symptoms, insurance questions, or anything related to their treatment?
Do you have a signed agreement with your clients about email communication?
Where you stand
Not quite there yet
Answer the remaining questions above to see your chapter resolution.