How do I know what businesses I work with qualify as BAs, and which do not?

A BA is any person or organization who does work for you, who is not a workforce member.  Any of your employees or volunteers are not BAs.  Anyone who is on the treatment team (e.g. other therapists, referring physicians, supervisors) are not BAs. You are obligated to identify any potential risks to your PHI.  Given that BAs account for upwards of 30% of all breaches, you need to satisfy yourself that they are protecting PHI.  Once they become a BA, and they exhibit a pattern of violations, you need to terminate your agreement with them, if feasible.