Chiropractic Chronicle Archive

When Employees Cross the Line: HIPAA and Business Associate Agreements

Originally published: 2025-10-27

Most chiropractors worry about outside breaches of patient privacy, such as hackers or lost laptops. In reality, many HIPAA problems start much closer to home — with employees or contractors who mishandle patient information. Without clear agreements, training, and oversight, staff can cross the line in ways that put your entire practice at risk.

Employees and PHI

Every staff member who handles records, billing, or scheduling has access to Protected Health Information (PHI). A receptionist discussing a patient’s care with a friend, or an assistant leaving charts out on the counter, can create violations just as damaging as a data breach.

“The biggest HIPAA risks are not hackers. They are the people inside your office mishandling patient information.”

Business Associate Agreements (BAAs)

Any outside vendor that touches PHI — billing companies, IT support, cloud storage providers, even shredding services — must have a signed Business Associate Agreement with your practice. Without it, you are liable if they mishandle information. Many chiropractors skip this step and assume vendors are automatically compliant.

Common Risk Scenarios

• An employee shares patient updates with a spouse, believing it harmless.

• A billing company outsources work overseas without your knowledge, exposing PHI.

• An IT contractor backs up your data to an unsecured drive.

• Staff take patient records home to “finish work,” creating unauthorized access.

Prevention Through Policy and Training

• Train staff regularly on HIPAA rules and your office’s privacy policies.

• Audit vendor contracts to confirm BAAs are in place and up to date.

• Limit access to PHI to only those who need it to perform their duties.

• Create consequences for employees who breach confidentiality.

The Risk Management Bottom Line

HIPAA compliance is not just about technology. It is about people. Protecting your practice requires written agreements with vendors and consistent training for staff. The greatest risks come from those closest to you, which is why prevention starts inside your own office.

ChiroFutures provides chiropractors with risk management tools and customizable HIPAA resources that keep staff, vendors, and practices aligned with federal privacy requirements.