Author: speck

  • Business Associate Agreement (BAA) Template

    A Business Associate Agreement (BAA) is a legally required contract under the Health Insurance Portability and Accountability Act (HIPAA) that outlines how a business associate will protect and handle protected health information (PHI) on behalf of a covered entity. If you are a healthcare provider, therapist, medical biller, virtual assistant, or software vendor handling PHI in any capacity, a BAA is not optional — it is required by law.

    Why a BAA Matters

    A BAA ensures that:

    • PHI is used only for permitted purposes
    • Both parties understand their legal responsibilities
    • There is accountability if a data breach occurs
    • HIPAA safeguards (administrative, physical, technical) are clearly defined

    Without a BAA in place, both parties may face legal and financial penalties.

    Who Needs a BAA?

    You need a BAA anytime PHI is shared with a third-party service provider that is not an employee. Common examples:

    • Practice management/EHR platforms
    • Billing companies or virtual assistants
    • Teletherapy platforms
    • Cloud storage or email providers
    • IT/security consultants

    If PHI is involved — you need a BAA.

    Blank Fillable Business Associate Agreement (Template)

    Here is a fillable PDF template contract. It should serve your needs, but be sure to read it over carefully before using it.

    BAA Agreement Blank FormDownload

  • Cigna EAP Provider Guide

    So you’ve gotten your first patient with a Cigna EAP. Here’s a guide to help you through the process.

    EAP is a sort of pre-authorization. You can’t just see a patient and bill it to the EAP. Either the patient or the employer has to reach out to the EAP coordination system set up for them. They can specify a provider or the system can find one for them. 

    Then both you and the patient are sent a letter with the authorization code. Some EAP programs like Aetna have a portal where you can go in and get the letter before it actually arrives in the mail. There isn’t a portal for Cigna, so the only way to verify that the patient has a valid EAP code call their EAP folks. (If they failed to get the code or lost it, the EAP folks can look it up with the insurance information). 

    With Cigna, you can also request EAP sessions on behalf of the patient. You (the provider) can do it (1 (877) 622-4327) or your staff can do it if you give them the general reason the patient is looking for treatment. To get paid to see them under EAP, you have to have the authorization before the session happens.

    They will get a number of sessions on a specific topic. Those sessions should be billed under 99404. Once the sessions are finished, you can refer the patient to yourself or another therapist for further treatment and bill their regular insurance under the usual codes.

  • Getting Started with Insurance Credentialing

    If you’re a healthcare provider looking to join insurance panels, here are the essential steps to begin the credentialing process. These steps will help your credentialer gather what’s needed to apply on your behalf.

    Step 1: Apply for a National Provider Identifier (NPI)

    If you don’t have an NPI, you’ll need to apply for one through the National Plan and Provider Enumeration System.

    • Address Requirements: You must provide a physical address. If you’re an independent practitioner without an office:
      • For Medicare only, a PO Box may suffice.
      • For other insurers, consider renting a commercial mailbox (e.g., at a UPS Store).
    • Privacy Note: NPI records are public. Avoid listing your home address—this is especially important for mental health professionals for safety and privacy reasons.
    • Phone Number: If you’re not affiliated with a group, you’ll also need a dedicated business phone number instead of using your personal number.

    Apply for an NPI →

    Step 2: Acquire Liability Insurance


    All insurance panels require you to carry liability insurance. Be sure the coverage is active and meets standard requirements for your specialty.

    Step 3: Create a CAQH Profile

    CAQH is a central hub where most insurers verify your credentials.

    • Fill out the profile as completely as possible.
    • Upload all required documentation.
    • Your credentialer will need your login credentials to access and manage this profile.

    Set up your CAQH profile →

    Step 4: Obtain an Employer Identification Number (EIN)

    While optional, this step is strongly recommended:

    • Without an EIN, your Social Security Number (SSN) may appear on public and billing documents.
    • You can apply for an EIN as a sole proprietor or after forming a legal business entity such as an LLC.

    Apply for an EIN →

    Step 5: Open a Business Checking Account

    Though not strictly required, this is best practice and is required if you’ve formed an LLC.

    • It protects your personal account information.
    • It helps maintain separation of business and personal finances.
    • It’s essential for building a business credit history.

    Additional Documents & Information Often Required

    • Social Security Number (SSN): Some insurers require this even if you have an EIN. Note: CAQH will ask for your SSN, but it cannot be retrieved from your profile later—keep a separate record.
    • EIN Tax Letter: If you’ve received an EIN, you’ll need to submit a copy of the confirmation letter from the IRS.
    • Banking Information: Especially required for Medicare enrollment or if billing under your own entity. This includes:
      • Your routing and account numbers
      • A voided check or official letter from your bank verifying the account
    • Curriculum Vitae (CV): Some insurers ask for a full CV; others only require employment history. A complete CV satisfies both.
    • Electronic Signature (optional): Providing your signature upfront allows your credentialer to complete forms (e.g., W-9s, EFT agreements) on your behalf, minimizing back-and-forth later.

    Need Help?

    We’re here to support you throughout the credentialing process.

    Contact Us →

  • Navigating Address Requirements as a Tele-Mental Health Provider

    As the demand for tele-mental health services continues to grow, so too do the complexities of compliance. One of the more frustrating issues providers face is the requirement to maintain a physical address—even when their entire practice operates virtually. Insurers and the Centers for Medicare & Medicaid Services (CMS) still cling to outdated location requirements that don’t align with modern telehealth models.

    Why a Physical Address Is Still Required

    Most insurance companies and CMS require mental health providers to list a physical address in their directories. This remains true even for solo practitioners working exclusively online.

    However, there was a meaningful update in April 2024: CMS now allows providers with Type 1 NPIs (individual practitioners) to use P.O. Boxes or private delivery service locations (such as a UPS store) as their primary practice location1. This is a welcome shift for solo providers who don’t have a brick-and-mortar office.

    Unfortunately, this rule change does not apply to Type 2 NPIs, which are generally required to set up a group or organizational structure. CMS continues to require a physical address for Type 2 NPIs and has even implemented a database to flag non-compliant delivery service addresses.

    Your Options: Workarounds and Practical Solutions

    If you’re building a tele-mental health practice, here are a few ways to navigate the physical address requirement:

    1. Use Your Home Address (Cautiously)

    This is the most straightforward solution, though it raises obvious privacy concerns. Still, the address would be linked to your business entity, not your personal identity. For some providers, this trade-off is acceptable.

    2. Hire a Registered Agent

    Just as registered agents are used for LLC registration, they can also serve as a business address for your practice. These services typically receive a small amount of mail on your behalf and may offer scanning or forwarding options. Many are affordable and low-maintenance. Early indications suggest that CMS will accept registered agent addresses—at least for Type 2 NPIs.

    3. Avoid the Need for a Type 2 NPI (If You Can)

    Depending on how you structure your business, you might be able to operate entirely under a Type 1 NPI. This can simplify compliance and sidestep the physical address problem altogether. That said, this approach isn’t feasible if you’re planning to build a group practice or hire additional clinicians.

    Final Thoughts

    Tele-mental health is here to stay, but the infrastructure supporting it hasn’t quite caught up. Until CMS and insurers modernize their systems, telehealth providers will need to get creative with compliance. Whether you’re just starting out or restructuring your practice, carefully weighing your address options can help you stay within the rules—without compromising your privacy or adding unnecessary overhead.

    Have questions about setting up your telehealth practice or navigating CMS regulations? Share your experiences or drop a comment below—we’d love to hear from you.

    1. “The first line location address of the provider being identified. For providers with more than one physical location, this is the primary location. This address can only include the USPS post office box location or personal mailbox offered by a private delivery service if the provider’s NPI is Entity type code = 1 and the provider does not have a physical location other than their home address (for example, a provider that exclusively provides telehealth services from their home).” ↩︎