Table Talk: When is a BAA need in a chiropractic office?

Sep 2, 2025 | KAC News, Table Talk

KAC Member Question:

This is a follow up question to last week’s topic. When does a chiropractic office need a BAA?

See last week’s topic on if a BAA is needed for a shredding company here.

Answer:

Below is a comprehensive list of common scenarios where a chiropractic office may need a Business Associate Agreement (BAA). These are all situations where a third party has access to protected health information (PHI) in performing services for your practice.

When a Chiropractic Office Needs a BAA

1. Billing and Claims Processing

  • Third-party medical billing companies
  • Revenue cycle management vendors
  • Clearinghouses that process claims or eligibility

2. Practice Management and EHR Software

  • Cloud-based electronic health record (EHR) systems
  • Scheduling or patient communication platforms with access to PHI
  • Patient portals maintained by a vendor

3. IT Services and Support

  • Managed IT service providers with access to your systems
  • Remote desktop support vendors
  • Data backup companies (cloud or physical)
  • Server hosting companies (if PHI is stored or processed)

4. Document and Data Destruction

  • Shredding companies (paper records)
  • Data wiping/disk destruction companies (old computers or hard drives)
  • Off-site storage vendors that also destroy records

5. Communication Services

  • Email or fax vendors (if they process PHI)
  • Text messaging services used for appointment reminders or patient follow-ups that include PHI
  • Voicemail transcription services

6. Cloud Storage Providers

  • Dropbox, Google Drive (business tier with HIPAA addendum), Microsoft OneDrive, iCloud, etc. if used to store PHI
  • Backup services like Carbonite or Backblaze

7. Consultants and Auditors

  • HIPAA compliance consultants with access to PHI
  • Medical coding consultants reviewing patient files
  • Accountants or CPAs if they access PHI for audit purposes

8. Law Firms or Legal Services

  • If they review records that contain PHI (e.g., malpractice defense, collections, compliance audits)

9. Marketing or Mailing Services

  • Vendors sending appointment reminders, newsletters, or surveys that include PHI (e.g., names + services)
  • CRM or email automation systems used with PHI data (like Mailchimp or Constant Contact)

10. Collections Agencies

  • Agencies that receive patient names, balances, and services rendered

11. Telehealth or Remote Services

  • Telehealth platforms that store or transmit PHI
  • Remote radiology services

When a BAA Is Not Required

You do not need a BAA with:

  • Your own employees
  • USPS, FedEx, or UPS (as they are conduits, not business associates)
  • Credit card processing companies (they are exempt under HIPAA)
  • Vendors with no access to PHI, such as office furniture suppliers, janitors (unless they handle trash with PHI), or maintenance services

Would you like a short checklist for your office? KAC members click here! Just make sure you’re logged in to download the xcel spreadsheet.

Reminder – you can find all of the KAC resources for our members on our website here: https://thekac.org/resources