How to Ensure Your VA Meets HIPAA Requirements
For healthcare providers, therapists, medical billing companies, and any business that handles Protected Health Information (PHI), HIPAA compliance is not optional - it's federal law. When a virtual assistant accesses, processes, or transmits PHI on your behalf, they become a Business Associate under HIPAA, triggering specific legal obligations for both of you.
This guide gives you a systematic framework for ensuring your VA is fully HIPAA-compliant before they touch a single patient record.
See also: what is a virtual assistant, how to hire a virtual assistant, data security best practices for VAs.
Who Qualifies as a Business Associate?
Under HIPAA, a Business Associate is any vendor or contractor who creates, receives, maintains, or transmits PHI on behalf of a covered entity. If your VA:
- Accesses your EHR system or patient scheduling software
- Handles medical billing or insurance claims
- Manages patient communication (calls, emails, portal messages)
- Processes payment data tied to patient accounts
- Prepares documents containing patient information
...then they are your Business Associate and HIPAA's Business Associate Agreement (BAA) requirements apply.
Step 1: Execute a Business Associate Agreement (BAA)
A BAA is a legally required contract that must be signed before a VA accesses any PHI. The BAA must include:
- Description of permitted PHI uses by the Business Associate
- Safeguards the BA will implement to protect PHI
- Obligation to report any security incidents or breaches
- Requirements for sub-contractors (if the VA uses any tools or people who could access PHI)
- Terms for PHI destruction or return upon contract termination
Do not skip this step. Operating without a BAA when PHI is involved exposes your practice to HIPAA fines ranging from $100 to $50,000 per violation, with annual maximums of $1.9 million per violation category.
Have your healthcare attorney review your BAA template annually - HIPAA guidance evolves and your BAA should reflect current requirements.
Step 2: Verify HIPAA Training Completion
Before your VA accesses any PHI, confirm they have received proper HIPAA training. You have two options:
Option A: Accept third-party training certification. Ask your VA to provide a training certificate from a recognized HIPAA training program (HIPAATraining.com, Compliancy Group, AHIMA, etc.). Verify the certificate includes the training date and curriculum scope.
Option B: Provide your own training. Many practices have their own HIPAA training module. Walk your VA through it and document their completion with a signed acknowledgment form.
Training must cover:
- What constitutes PHI and ePHI
- The Minimum Necessary standard (accessing only the PHI needed for each task)
- How to handle PHI in emails, calls, and documents
- Breach recognition and reporting obligations
- Device and account security requirements
Require annual refresher training. Document each training session - this documentation is your evidence during a HIPAA audit.
Step 3: Audit System Access and Permissions
Apply the Minimum Necessary principle: your VA should only access the PHI systems and data fields required for their specific job function.
EHR system access:
- Create a named user account for your VA - never share credentials
- Assign a role with permissions limited to their function (scheduling access only, billing module only, etc.)
- Enable audit logging so every PHI access is recorded
- Require multi-factor authentication (MFA)
Email:
- Standard Gmail or Outlook does not meet HIPAA requirements without a signed BAA with Google or Microsoft and proper configuration
- Use HIPAA-compliant email: Google Workspace (with BAA), Microsoft 365 (with BAA), Paubox, or ProtonMail for Business
- Disable email auto-forwarding to personal accounts
File storage:
- Store PHI only in HIPAA-compliant cloud storage: Google Drive (with Workspace BAA), Dropbox Business (with BAA), Box (with BAA), or Microsoft OneDrive (with 365 BAA)
- Personal Google Drive, personal Dropbox, or USB drives are not acceptable for PHI
Communication tools:
- Standard Slack, WhatsApp, and SMS are not HIPAA compliant for PHI discussions
- Use compliant messaging: Slack (with BAA + proper config), TigerConnect, or Spruce Health for secure messaging
Step 4: Implement Device and Physical Security Requirements
Your VA's work environment matters. Establish these minimum device standards in writing:
- Encrypted device: Their computer must use full-disk encryption (FileVault on Mac, BitLocker on Windows)
- Screen lock: Auto-lock after 5–10 minutes of inactivity
- Antivirus software: Current, active antivirus/malware protection
- No public Wi-Fi: PHI must never be accessed over public or unsecured networks - require VPN use if working outside home
- Private workspace: PHI must not be visible to household members or in public spaces
- No printing: Prohibit printing of PHI unless your VA has a HIPAA-compliant document destruction process (shredder with certificate)
Document these requirements in your BAA or a separate VA Security Policy that the VA signs.
Step 5: Establish Breach Reporting Procedures
Your VA must know exactly what to do if they suspect a security incident or breach. Define this in writing:
- Immediate notification: Report to you (the covered entity) within 24 hours of discovering a suspected breach
- Documentation: Record what happened, what PHI may have been involved, and what immediate steps were taken
- Containment: Change passwords, revoke access, or isolate affected systems as appropriate
- Your obligations: As the covered entity, you are responsible for HIPAA breach notification to HHS and affected patients if required
Under HIPAA, breaches affecting 500+ individuals in a state must be reported to HHS and local media. All breaches go into the HHS breach log. The faster you contain and report, the better your position.
Step 6: Ongoing Compliance Monitoring
HIPAA compliance is not a one-time checklist - it's an ongoing program:
Quarterly:
- Review VA's system access permissions - remove anything no longer needed
- Check audit logs for unusual PHI access patterns
- Verify MFA is active on all accounts
Annually:
- Require HIPAA refresher training and document completion
- Review and update your BAA if your VA's role has changed
- Conduct a risk assessment covering your VA's access points
At offboarding:
- Immediately revoke all system access on the last day
- Require return or certified destruction of any PHI in the VA's possession
- Retain BAA and access logs for 6 years per HIPAA requirements
Frequently Asked Questions
Does my VA need to be US-based to be HIPAA compliant?
No - HIPAA compliance is about processes and safeguards, not location. International VAs can be HIPAA compliant if they complete proper training, sign a BAA, use compliant systems, and follow all security requirements. However, working with US-based VAs simplifies enforcement if issues arise.
Can a virtual assistant handle medical billing under HIPAA?
Yes, with a signed BAA and proper system access controls. Medical billing VAs routinely handle PHI for practices across the US. Ensure they use HIPAA-compliant billing software and never transmit claim data via unencrypted email.
What happens if my VA causes a HIPAA breach?
Both you (the covered entity) and your VA (Business Associate) share liability. Your BAA should outline each party's obligations in a breach scenario. You will likely need to conduct a breach risk assessment, notify affected patients if required, and report to HHS.
Is a HIPAA-compliant virtual assistant more expensive?
Not necessarily significantly. VAs with HIPAA training and experience may charge $1–3/hr more than general VAs, but the cost of a HIPAA violation (fines, legal fees, reputational damage) far exceeds any premium. Working through an agency that specializes in healthcare VAs gives you pre-screened, trained candidates.
Ready to Hire a HIPAA-Compliant VA?
Virtual Assistant VA connects healthcare providers with virtual assistants who have completed HIPAA training and understand healthcare compliance requirements. Get matched today.