Business Associate Agreement Under HIPPA:  Your Clients Are Protected; Are You?

Robert Haney • September 27, 2018

Representing healthcare clients is a very involved and complex task for any attorney to handle. This is especially true from a compliance perspective. The Health Insurance Portability & Accountability Act of 1996 (“ HIPAA ”) provides the requirements for the privacy and security rules regulating protected health information (“ PHI ”) of individuals and entities. Additionally, the HIPAA Privacy Rule and Security Rule (the “ Rule ”) set forth the rules for enforcing HIPAA violations and handling notifications involving any breach involving PHI (a “ Breach ”). Individuals and organizations required to comply with the Rule are called “Covered Entities.” However, the application of HIPAA does not stop at Covered Entities. HIPAA also applies to the business associates of Covered Entities, a role that is occupied by many attorneys representing Covered Entities.

What is a Business Associate?

On January 25, 2013, the final changes to the Rule were published. Under the Rule, a “business associate” of a Covered Entity can be held directly liable under HIPAA for a Breach. The Rule provides for three types of business associates working with or on behalf of Covered Entities: (1) business associate subcontractors; (2) entities routinely transmitting and accessing PHI; and (3) personal health record vendors.

Generally speaking, attorneys representing Covered Entities or business associates are business associate subcontractors if, in representing a Covered Entity or business associate, the attorney requires access to PHI in order to do their work for their client. If an attorney is a business associate, then a written Business Associate Agreement with their client is required.

Why Should I Enter Into A Business Associate Agreement?

The Rule requires business associates to enter into a written Business Associate Agreement that implements reasonable and appropriate policies in order to comply with the Rule and any Breaches thereunder. Failure to implement a written Business Associate Agreement can result in substantial fines and penalties. Amongst other things, Attorneys who are business associates can be held directly liable under the Rule, just as a Covered Entity would, for Breaches and violations of the Rule.

What is Required Under a Business Associate Agreement?

In order to avoid or reduce the chance of incurring liability for a Breach or other violation of the Rule the acts listed above, it is important to have a detailed and effective Business Associate Agreement. The template for a Business Associate Agreement should begin by incorporating the following requirements set forth under the Rule:

1)Establish the business associate’s permitted and required uses of PHI by setting forth how and when the business associate will use the PHI;

2)Provide that the business associate will only disclose PHI other than is set forth in the Business Associate Agreement or is required by law;

3)Implement appropriate safeguards to prevent the unauthorized use or disclosure of PHI;

4)Implement the requirements of the HIPAA Security Rule regarding electronic PHI;

5)Establish the situations and circumstances under which the business associate must disclose PHI to a requesting party;

6)Require the business associate to comply with all applicable requirements to the extent that the business associate is carrying out an obligation under the Rule on behalf of the covered entity;

7)Require the business associate’s internal practices, books and records in relation to the use and disclosure of PHI to be made available to the U.S. Department of Health & Human Services so that determinations regarding compliance with the Rule can be made;

8)To the extent practicable, require the business associate to return or destroy all PHI at the termination of the Business Associate Agreement;

9)Provide that any subcontractors, as defined by the Rule, business associate will engage with require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

10)Provide for a termination of the Business Associate Agreement if the business associate violates a material term of the Agreement.

How will a Business Associate Agreement Reduce Attorney Liability?

While no Business Associate Agreement can eliminate an attorney’s liability under the Rule, it can greatly assist the attorney in limiting their liability to the extent possible.

First, while a Business Associate Agreement cannot change the statutory timeframes for providing notice or curing a Breach under the Rule, an attorney can give themselves as much leeway as possible with respect to how and when it must provide notice or cure a Breach by allowing themselves as much time as is permitted under the Rule.

Second, the Business Associate Agreement can provide greater clarity to the parties in detailing what a Breach is and when a Breach a occurs. This will help both parties reduce the probability of a Breach, recognize when a Breach occurs, and address either party’s failure to comply with the notice and cure provisions of the Rule.

Third, the Business Associate Agreement can provide essential guidance in handling a Breach by clearly stating each party’s responsibilities in the event of a Breach and the best and most efficient way to cure a Breach. Having definite and delegated plans of action for each party will provide security to each party in handling a Breach.

Finally, in addition to entering in to a Business Associate Agreement, it is also important to remember take a step back, evaluate your practice and determine the best way to become HIPAA and Rule compliant. This can be done by assessing your current level of compliance with HIPAA, projecting potential future compliance needs as your practice changes or grows and a developing plan of action to address any gaps you may discover or anticipate.

Speak to an Attorney

Related Posts

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More

Business Succession Planning for Dental Practice Owners - Part III:

By Jordan Uditsky April 15, 2026
How Defining Your Goals Will Shape Your Dental Practice’s Business Succession Plan

Business Succession Planning For Dental Practice Owners – Part II

By Jordan Uditsky April 2, 2026
How Buy-Sell Agreements Determine the Success of Your Transition
A doctor is sitting at a desk talking to a patient.

It’s Not Me; It’s You: Terminating a Relationship With a Difficult Dental Patient

By Jordan Uditsky March 9, 2026
Most relationships, whether personal or professional, start with a certain level of mutual trust and respect, compatibility, and shared goals and priorities. But those characteristics don’t always last, and a once-promising partnership can devolve into disputes, distrust, or outright hostility. The dentist-patient relationship is not immune to such deterioration. There may come a day when the differences between a dentist and their patient make continued treatment undesirable or impractical. A patient, of course, is free to call it quits with their dentist at any time, or the patient and dentist can mutually agree to part ways. But when a dentist wants to stop treating a problematic or disruptive patient and terminate the relationship, things can be a bit stickier. It is crucial that a dentist handles the break-up carefully and in accordance with the law and ethical standards so as to avoid claims of patient abandonment that could threaten their professional license or expose them to liability. Are you interested in speaking with one of our attorneys? Click here to contact us now. Dentists Have a Right To Unilaterally Dismiss a Patient For Reasonable Cause As a preliminary matter, dentists may choose to responsibly end their relationship with a patient for any reasonable, legally permissible cause. As the American Dental Association (ADA) guidelines put it: The dentist has the right to dismiss a patient in situations where it is impossible to resolve differences or if the dentist cannot abide the patient’s behavior within the practice, as long as the dismissal is not for a legally impermissible discriminatory reason. Accordingly, a dentist may not end a patient relationship because of the patient’s race, religion, gender, color, age, national origin, disability, or other characteristics protected by federal and state anti-discrimination laws. Notably, political opinions are not a protected characteristic under the law. Common reasons a dentist may justifiably terminate a patient include: Hostility or abusive behavior toward the dentist, staff, or other patients Harassment or sexual abuse of dentist, staff, or other patients Repeatedly missing appointments Refusal to undergo recommended testing or treatment Lack of trust or confidence in the dentist’s abilities or recommendations Consistent failure to follow office policies Showing up to appointments under the influence of alcohol or drugs Refusing to adhere to infection-control precautions and policies, such as masking Nonpayment Patient Dismissal vs. Patient Abandonment A dentist who chooses to dismiss a patient can’t simply show them the door, send them a break-up text, or refuse to answer their calls. Dentists must end the relationship such that they avoid any claim that they have abandoned their patient. According to the ADA’s Principles of Ethics and Code of Professional Conduct Section 2.F.: Once a dentist has undertaken a course of treatment, the dentist should not discontinue that treatment without giving the patient adequate notice and the opportunity to obtain the services of another dentist. Care should be taken that the patient’s oral health is not jeopardized in the process. Patient abandonment is a serious ethical violation. For example, the Illinois Dental Practice Act lists “abandonment of a patient” as one of the many reasons the Illinois Department of Financial and Professional Regulation may revoke, suspend, refuse to issue or renew, reprimand, or take other disciplinary or non-disciplinary action against a dentist. A dentist also exposes themself to a malpractice claim if injuries result from their termination of the patient at the wrong time during the course of treatment or without proper notice. Best Practices For Terminating a Patient Relationship As noted, adequate notice, providing the patient an opportunity to find alternative care, and facilitating continuity of ongoing care are the keys to responsibly ending the dentist-patient relationship and avoiding a claim of abandonment. We suggest that dentists take the following steps to minimize the likelihood of any disputes or claims arising from the termination of the relationship: provide written notice to the patient, preferably by certified mail; provide the patient with the reasons for terminating the relationship; offer to continue treatment and access to services for a reasonable period (such as 30 days) to allow the patient to secure another dentist’s services; state that you will provide emergency services for a designated period; help the patient locate another dentist; and offer to transfer the patient’s records to a new dentist and/or advise the patient of their right to obtain a copy of their records for a fee. Additionally, a dentist experiencing issues with a patient should contemporaneously document all communications, incidents, statements, or behavior suggesting a breakdown in the relationship. Of course, while a dentist can control how they handle the end of a patient relationship, they can’t control how the patient will react to being “dumped.” Even when the dentist acts professionally and cordially, as they should, there is no guarantee that the patient will do the same. If a patient responds with hostility or anger, tread carefully and do not respond in kind. Contact Us With Any Questions or Concerns If you have any questions or concerns about ending a patient relationship, please give us a call. At Grogan, Hesse & Uditsky, P.C., we focus a substantial part of our practice on providing exceptional legal services for dentists and dental practices, as well as orthodontists, periodontists, endodontists, pediatric dentists, and oral surgeons. We bring unique insights and deep commitment to protecting the interests of dental professionals and their practices and welcome the opportunity to work with you. Please call us at (630) 833-5533 or contact us online to arrange for your free initial consultation. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise dentists and other business owners in the Chicago area. Jordan grew up in a dental family, with his father, grandfather, and sister each owning their own dental practices, and this blend of legal, business, and personal experience provides Jordan with unique insight into his clients’ needs, concerns, and goals.
Show More