Labs and HIPAA Business Associate Agreements (BAAs)

Labs and HIPAA Business Associate Agreements (BAAs) 


by Jim Moore        10/29/2020

Business Associate Agreements (BAA)

Many Smart Training clients conduct business with dental laboratories. We’re often asked about HIPAA Business Associate Agreements (BAAs) between our clients and labs. 

Do practices need a Business Associate Agreement (BAA) with labs?

Many times, the lab has told our client that the lab is a Covered Entity under HIPAA, and that a BAA is not required. However, if the lab isn’t actually owned by a healthcare provider, then the lab is not a Covered Entity. Even if it were a Covered Entity, the law specifically states that “a Covered Entity may be a Business Associate of another Covered Entity.” Just being a Covered Entity doesn’t get the lab off the hook.

2013 Omnibus Rule

Under the Omnibus Rule, Business Associates must train employees on patient privacy, and labs become directly responsible under the HIPAA Security Rule. Both constraints pose problems for many lab owners. For example, current BAAs require labs to train their employees on patient privacy.

Is my Practice Liable for lab Breaches?

If your practice provides protected health information (PHI) to a lab with which you do not have a BAA in place, and the lab breaches the information, your practice is liable. And if you think having your lab sign a BAA is of little importance, ask yourself: if patients knew your office had provided their information to a dental lab that is unwilling to train employees on HIPAA privacy and security regulations, how would they feel? 

If a lab you use will not sign a BAA with your office, find another lab!

Easy BAA Training

To make it easier for your labs to be HIPAA compliant, check out our online business associate (BA) training modules for both National and Texas.

Smart Training
820 W Spring Creek Pkwy, Ste 400-R Plano, Tx 75023

1 thought on “Labs and HIPAA Business Associate Agreements (BAAs)

  1. Pingback: Are Business Associate Agreements (BAAs) Required by HIPAA? -

Comments are closed.