BAA vs Confidentiality Agreement:

What Therapists Get Wrong About HIPAA

Do I Need a BAA or a Confidentiality Agreement?

This is one of the most common points of confusion for therapists.

Many providers assume that a Business Associate Agreement (BAA) is just a general confidentiality document that should be used anytime someone might see or hear client information.

That’s not what a BAA is.

A BAA is a specific legal agreement required under HIPAA when another party is handling Protected Health Information (PHI) on your behalf, as outlined in the HIPAA Business Associate guidance.

A confidentiality agreement is something entirely different.

Understanding the distinction matters, because using the wrong one doesn’t actually protect you.

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is required when a third party creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf.

Protected Health Information (PHI) on behalf of a covered entity

This includes services like:

  • Billing companies
  • Electronic Health Record (EHR) systems
  • Virtual assistants handling client communication
  • Cloud storage providers storing client data

What Is a Confidentiality Agreement in a Therapy Practice?

A confidentiality agreement is a general privacy document that sets expectations for behavior.

It is used when someone may see clients in a waiting room, hear names or conversations, or be present in a space where client information exists, but is not performing any function involving PHI on your behalf.

This includes:

  • Front desk staff in a shared office
  • Cleaning or maintenance personnel
  • Landlords or office managers
  • Other providers sharing space but operating separately

A confidentiality agreement does not create a HIPAA relationship.
It simply sets boundaries for what should not be disclosed.

BAA vs confidentiality agreement comparison chart showing when therapists need a business associate agreement versus a confidentiality agreement based on access to PHI and workflow role
This is where a lot of therapists get tripped up. Using a BAA when a confidentiality agreement is the better fit.

Do Therapists Need a BAA for Front Desk Staff or Shared Office Space?

This is where things often get misunderstood.

If you are subleasing office space or working in a shared environment, situations like a receptionist greeting a client, a staff member hearing a name, or someone seeing a client in the waiting room fall under incidental exposure.

This is considered incidental exposure, which is permitted under HIPAA when reasonable safeguards are in place.

That means a BAA would not apply in that situation.

When Do You Actually Need a BAA in Private Practice?

You need a BAA when someone is actively involved in your workflow and handling PHI as part of their role.

Examples include:

  • Scheduling clients for you
  • Managing your calendar system
  • Collecting payments tied to client records
  • Documenting or storing client information
  • Communicating with clients on your behalf

If they are part of how your practice functions, and that function involves PHI, a BAA is required.

Are Business Associate Agreements the Same in Every State?

No. While HIPAA sets the federal baseline for Business Associate Agreements, state laws and licensing requirements can add additional expectations that are not always reflected in generic templates.

HIPAA defines what a Business Associate is and requires that a written agreement be in place when someone is handling Protected Health Information (PHI) on your behalf. That federal framework applies across all states.

However, it is not the only layer that applies to mental health providers.

Many states have their own privacy laws, professional licensing rules, and documentation expectations that can influence how a Business Associate Agreement should be structured or used in practice. This is especially relevant for therapists, where confidentiality protections often go beyond general healthcare standards.

In practical terms, this means that not all BAA templates are interchangeable. A generic or borrowed agreement may meet basic federal requirements, but still miss important state-specific language or fail to align with how your practice actually operates.

This is also why you will often see therapists asking to “use someone else’s BAA.” While that can seem like a shortcut, it can create gaps if the agreement was written for a different state, practice structure, or workflow.

The goal is not just to have a BAA in place. The goal is to have one that accurately reflects:

  • how PHI is handled in your practice
  • the role of the business associate
  • and any applicable state-level expectations

If you’re in a situation where a Business Associate Agreement is required, having the right language matters. Most templates don’t account for how mental health practices actually operate or the state-specific requirements that can apply.

If you need a structured, state-specific version, you can review the State-Specific BAA Toolkit for Therapists here.

When a Confidentiality Agreement Is the Right Fit

A confidentiality agreement is appropriate when there is no access to your systems or records, the person is not performing services involving PHI, and any exposure is incidental within a shared environment.

In these cases, the goal is not to regulate PHI handling under HIPAA.

The goal is to set clear expectations about privacy and discretion.

Common Mistake Therapists Make

A BAA is not a “better” confidentiality agreement.

It is a different type of document used for a different purpose.

Using a BAA in the wrong situation does not increase protection.
It creates confusion about roles, responsibilities, and access to client information.

Example: Subleasing an Office in a Group Practice

Let’s break this down in a real-world scenario.

You are renting space inside another practice. Your clients may check in at the front desk, the receptionist may hear their name, and they may be seen in the waiting area. However, the receptionist does not access your records, manage your schedule, or communicate with your clients on your behalf.

This is not a business associate relationship.

It is a shared space with incidental exposure

In this situation:

  • A BAA would not apply
  • A confidentiality agreement is the more appropriate safeguard

Free Resource: Shared Space Confidentiality Acknowledgment

If you’re working in a shared office setting, you can download a simple one-page confidentiality acknowledgment designed for front desk staff and shared environments.

Download Here

Stay Updated on Compliance Changes

Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.

If you want clear, practical updates you can actually use, you can join my email list below.

BAA vs Confidentiality Agreement: The Bottom Line

A BAA is used when someone is handling PHI on your behalf.

A confidentiality agreement is used when someone may be exposed to client information but is not involved in your workflow.

Understanding that difference allows you to choose the correct document, set appropriate boundaries, and maintain clear and defensible compliance practices.

What If a Practice Is Cash Pay Only? Does HIPAA Still Apply?

This is another area where confusion shows up.

HIPAA applies to covered entities, which are defined based on how health information is transmitted and used in practice. This includes activities such as submitting insurance claims, checking eligibility, or using clearinghouses.

A practice that is:

  • Fully out-of-pocket
  • Not conducting electronic transactions
  • Not using third-party billing services

…may not meet the definition of a covered entity under HIPAA.

However, that does not remove confidentiality obligations.

State laws, licensing boards, and ethical standards still require client privacy to be protected.

Sources – Federal HIPAA Guidance

This article references federal HIPAA guidance from the U.S. Department of Health & Human Services related to Business Associates, incidental disclosures, and covered entity requirements.

Business Associates (HHS Guidance)
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

Incidental Uses and Disclosures (HHS FAQ)
https://www.hhs.gov/hipaa/for-professionals/faq/187/what-are-incidental-uses-and-disclosures/index.html

Covered Entities (HHS Overview)
https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

HIPAA Privacy Rule
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.

Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.

Learn more about her work with mental health practices.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials
Related HIPAA Resources

If you want to go deeper into how these concepts apply in your practice:

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy