Do healthcare copywriters and content writers need to sign a BAA?

A business associate agreement is a legally binding contract required under HIPAA. HIPAA governs how protected health information (PHI) is handled by covered entities and their "business associates."

Under 45 CFR § 160.103, a business associate is any person who, on behalf of a covered entity, "creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter." The BAA formalizes that relationship, outlining how PHI will be protected, what happens in the event of a breach, and what the business associate's responsibilities are under federal law.

According to healthcare attorney Kim Stanger of Holland & Hart LLP, failing to have a BAA in place when required can expose covered entities and business associates to civil penalties. Stanger notes that the Office for Civil Rights (OCR) has used the absence of a BAA to extract significant settlements from covered entities, including cases involving settlements of $500,000 and $1,550,000, following data breaches by their business associates.

Read also: What is the purpose of a business associate agreement?

Do BAA’s apply to writers?

The question of whether a healthcare writer needs to sign a BAA is based on whether the writer accesses, handles, or comes into contact with protected health information.

According to § 160.103, protected health information (PHI) means "individually identifiable health information" that is transmitted or maintained in any form or medium. And individually identifiable health information is defined as information that "identifies the individual" or where "there is a reasonable basis to believe the information can be used to identify the individual" tied to their health condition, care, or payment history.

Therefore, most healthcare copywriters and content writers probably do not need a BAA because when writing a blog post about managing Type 2 diabetes, drafting web copy for a cardiology practice, or creating email newsletters for a health system, you're typically working with general medical information and not patient records.

It's also worth noting that accidental or incidental exposure to PHI outside contracted job duties doesn't automatically trigger business associate obligations, a distinction Stanger outlines in "To BAA or Not to BAA: Must You Have One?"

When a BAA is required

There are scenarios where a healthcare writer could legitimately need to sign a BAA:

• Case studies with real patient data. If a hospital wants a patient success story and gives access to actual medical records or any identifiable patient information, that changes things. The business associate definition applies the moment a writer "creates, receives, maintains, or transmits" PHI on behalf of a covered entity, even if the final published piece is fully anonymized.
• Working inside covered entity systems. Some writers are granted access to internal content management systems, intranets, or platforms that contain PHI. If the tools used give exposure to patient information, even incidentally, the covered entity may be obligated to have a BAA in place.
• Ghostwriting for providers with patient context. If a physician shares patient case details to help the writer with content, and those details are identifiable enough to constitute PHI, the writer could be handling protected information regardless of how it was framed to them.
• Market research or content audits involving PHI. Writers who are asked to review, analyze, or organize content that includes patient data as part of a broader project may also trigger the BAA requirement.

Learn more: Do subcontractors have to sign a BAA?

What must a BAA contain

Attorney Kim Stanger of Holland & Hart LLP outlines the mandatory components in detail, and they go well beyond a simple confidentiality pledge.

At minimum, a compliant BAA must establish the permitted uses and disclosures of PHI, require appropriate safeguards to prevent unauthorized access, and mandate compliance with the HIPAA Security Rule if any electronic PHI is involved. The agreement must also require the business associate to report any breach or security incident to the covered entity, ensure that any subcontractors handling PHI sign their own agreements with equivalent protections, and include provisions for returning or destroying PHI upon termination of the relationship.

Stanger also notes that the OCR has imposed a $400,000 settlement against a covered entity specifically because its BAA failed to include all required terms. This shows that a poorly drafted BAA can be as problematic as no BAA at all.

Furthermore, Stanger notes that, "Entities and subcontractors that meet the definition of a 'business associate' under HIPAA are subject to HIPAA and must comply with HIPAA requirements applicable to business associates even if there is no BAA." In other words, declining to sign a BAA doesn't get you off the hook if you're functioning as a business associate. It just means you've avoided some contractual obligations while remaining exposed to federal regulatory penalties.

Why some clients ask anyway

Even in situations where a BAA may not be strictly required, healthcare organizations may ask vendors, including writers, to sign one anyway. This is often a matter of organizational policy, legal caution, or a compliance approach.

In “To BAA or Not to BAA: Must You Have One?" Stanger cautions that signing unnecessary BAAs can actually work against you. Doing so may expose you to contractual liabilities that wouldn't otherwise apply, place limits on how you use or disclose information, and in some cases function as an inadvertent admission that you are a business associate, potentially opening the door to HIPAA penalties for noncompliance.

It's also worth knowing that some covered entities, as Stanger points out, use BAAs to require business associates to carry appropriate insurance, provide indemnification for HIPAA violations, and cover the costs of breach notification.

If a client insists on a BAA when you don't believe you qualify as a business associate, Stanger suggests a few practical alternatives:

• Explaining the regulatory limits on business associate status,
• Offering a more limited confidentiality agreement instead, or
• Conditioning the BAA on your actual status as a business associate as defined under HIPAA.

Guidance for healthcare writers

If you're a freelancer or agency writer working in the healthcare space, here's an approach to navigating this issue.

• Ask the right questions upfront. Before starting a project, clarify whether your work will involve access to any patient information, medical records, or individually identifiable data.
• Don't panic if a client requests a BAA. It doesn't mean you're doing anything wrong or that the client thinks you'll mishandle data. It's often just their standard process for any healthcare vendor.
• Consult an attorney if you're unsure. If you're regularly doing work that might bring you close to PHI, a consultation with a healthcare attorney will be beneficial.
• If you do sign a BAA, take it seriously. Even if you believe your exposure to PHI is minimal, you're legally obligated to honor the terms. That means using secure file transfer for any documents you receive, not sharing client materials inappropriately, and having a plan in case something goes wrong.

FAQs

Does a BAA protect the writer, or only the covered entity?

A BAA actually creates mutual obligations, it also formally documents what the covered entity is responsible for in the relationship.

Is a BAA the same as an NDA?

No, an NDA is a general confidentiality agreement, while a BAA is a federally mandated contract with specific HIPAA-required provisions.

Do BAA requirements apply to writers outside the United States working for U.S. healthcare clients?

Yes, HIPAA obligations follow the covered entity, so any business associate handling PHI on their behalf is subject to the law regardless of geography.

Can a writer negotiate the terms of a BAA before signing?

Yes, BAA terms are negotiable.

Does HIPAA apply to all healthcare companies, or only certain ones?

HIPAA only applies to covered entities, namely healthcare providers, health plans, and healthcare clearinghouses and their business associates.