Hiring Contractors in a Healthcare Practice: HIPAA BAAs a…
Healthcare practice owners have two distinct obligations when hiring contractors: proper worker classification and HIPAA Business Associate Agreements.
March 13, 2026
Healthcare practices face an employment question that other businesses do not: every time you bring on a contractor who will touch patient information, you have two separate legal obligations, not one. Worker classification (1099 vs W2) is the first. HIPAA Business Associate Agreement (BAA) compliance is the second. Skipping either one creates liability.
This guide is for healthcare practice owners who hire contractors for billing, credentialing, administrative support, or clinical services. We also strongly recommend this framework for any business that handles highly personal information.
The Two Separate Requirements
1. Worker Classification
Whether the person you’re hiring is an employee or an independent contractor is governed by the IRS control test and your state workforce agency’s right-to-control analysis, the same framework that applies to any business. (See our 1099 vs W2 guide for a full breakdown.)
In healthcare, classification questions commonly arise around:
- Billing and coding services
- Credentialing specialists
- Virtual assistants with access to patient scheduling
- Substitute or per diem clinical providers
- Administrative staff working remotely
A billing company that submits insurance claims on your behalf, working from their own office, with their own staff, for multiple clients, is almost certainly an independent contractor. A person who works in your office, on your schedule, doing your billing, for only you, looks more like an employee.
Getting this wrong creates IRS tax liability, state unemployment tax liability, and potentially workers’ comp exposure.
2. HIPAA Business Associate Agreement
If the contractor will create, receive, maintain, or transmit protected health information (PHI) on your behalf, federal HIPAA law requires a Business Associate Agreement (BAA) to be in place before they access any PHI. This applies regardless of employment status, and regardless of whether the contractor is an individual or a company.
A BAA is required before they access PHI, not after they’ve already been working.
What Triggers a BAA Requirement
You need a BAA when any contractor:
- Accesses your electronic health records (EHR) to submit claims, update records, or pull reports
- Handles paper records containing patient information
- Accesses payer portals on your behalf
- Receives patient scheduling information or appointment details
- Provides IT services with access to systems that store PHI
Common contractors who may need BAAs: billing companies, credentialing services, EHR vendors, cloud storage providers, medical answering services, and remote administrative staff with scheduling access.
Keep the BAA as a Separate, Standalone Document
Some contractors try to incorporate BAA language into their services agreement. We strongly recommend against this, and against agreeing to it when a contractor proposes it.
Two short, focused documents, a services agreement and a standalone BAA, are much easier to review, manage, and audit than one complicated document trying to do both jobs. When you need to update your BAA because HIPAA guidance changes, you update just the BAA. When you renegotiate payment terms, you modify the services agreement. They don’t interfere with each other.
When a contractor insists on combining them, that’s a signal to have an attorney review what they’re actually proposing before you sign.
What a BAA Must Include
A proper BAA should be explicit, readable, and enforceable. At minimum, cover these six items.
Limit PHI use and disclosure to what is necessary for the contracted services.
Require administrative, technical, and physical safeguards and prohibit unauthorized disclosures.
Require downstream BAAs for any subcontractor that will access PHI.
Spell out how PHI is returned or destroyed when the engagement ends.
Require notice fast enough to comply with federal law and your own incident response needs.
Assign responsibility for security failures to the party that controls the compromised systems.
When the Contractor Sends You Their BAA: Read It
Many billing companies and credentialing services provide their own BAA forms. This is normal and usually fine, but the terms vary significantly.
Specific things to review in any BAA presented to you:
The indemnity clause. Who is responsible if there’s a breach? If the contractor’s systems are compromised, the contractor should bear responsibility, not your practice.
The permitted uses of PHI. Does the agreement allow the contractor to use your patient data for purposes beyond your engagement, such as aggregate analytics or business development? This language should be narrow.
The termination and data return provisions. What happens to PHI when you end the contract? Is there a process for certified destruction or return? Is the timeline reasonable?
The breach notification timeline. Federal law requires notification within 60 days of discovery. Some BAAs try to extend this or soften what constitutes a “breach.”
A healthcare practice had to terminate a billing company for cause after discovering unauthorized access to her insurance portals, including the addition of an unauthorized third party. The situation was complicated by a services agreement that didn’t clearly delineate what portal access was authorized or what the exit process required. A standalone BAA with clear access limitations and a specific termination process would have made the situation much cleaner.
State-Specific Healthcare Considerations
Licensing-board rules can add another layer beyond HIPAA. Supervision requirements, scope-of-practice rules, and delegation limits may affect how you structure clinical contractor arrangements.
If you participate in public payer programs, additional contractual and compliance obligations may apply to contractors involved in billing or patient-facing operations.
Checklist Before You Hire a Healthcare Contractor
- Determine employee vs. contractor status under IRS and state-agency tests
- If contractor: draft or review a standalone IC agreement
- Determine whether the contractor will access PHI
- If yes: require a signed, standalone BAA before granting any system access
- If the contractor provides their BAA: review indemnity clause, permitted uses, termination/data return provisions, and breach notification timeline
- If the BAA is problematic: negotiate or get an attorney to review before signing
- Retain executed copies of both documents separately
- If the contractor is clinical: confirm the structure complies with applicable licensing board rules
Free Resource
Browse our Small Business Employment Resources →
Covers worker classification for service businesses, contractor agreement basics, and what to document before a contractor starts. No registration required.
Questions on HIPAA or Contractor Agreements
Surge Business Law represents healthcare practice owners and small businesses. Our Momentum Membership gives you ongoing access for $95/month.
Schedule a free consultation →
Related Reading
- Contract Guide for Business Owners: 21+ Easy-to-Use Tips — our pillar guide to business contracts.
- Iowa Independent Contractor Compliance Guide — how Iowa auditors evaluate contractor classification.
Need attorney help with a contract? See our flat-fee contract services — Red Flag Review before you sign, custom drafting, and operating or partnership agreements.