Michael Nikitin
CTO & Co-founder AIDA, CEO Itirra
A Business Associate Agreement (BAA) or Business Associate Contract is integral to any effective HIPAA compliance program. It is essential for companies involved in the healthcare industry to understand if and when they require a BAA, as they risk significant penalties and permanent reputational damage in case of HIPAA violations.
The HIPAA Security Rule defines BAA as a legally binding contract between a healthcare provider and an entity that accesses, transmits, or stores protected health information (PHI) as part of the services provided. The size and complexity of the modern healthcare industry mean that PHI can be found in more places than just a doctor’s office.
Third parties are often responsible for protected data such as copies of X-rays kept in offsite facilities, insurance information used by external billing companies, health information sent through providers by mail or electronically, and prescription data stored on servers or in the cloud.
In this article, we’ve put together important information about HIPAA Business Associate Agreements to help you know when and if you need one. It is important to note that a BAA is a legally binding contract. Therefore, before entering into any agreement with a Business Associate (BA), it is best to seek advice from a compliance expert, security officer, or lawyer.
When do you need a Business Associate Agreement (BAA)?
HIPAA defines that Covered Entities (CEs) and Business Associates (BAs) that process PHI must sign a BAA with their partners and subcontractors to secure data and prevent breaches, disclosures, and losses of healthcare data. If third parties have access to PHI during their assigned work, they are defined as BAs and must sign the BAA.
Direct employees of an organization do not need to sign a BAA as they are part of the organization and are not considered business partners per se. However, they are still subject to HIPAA laws, and it is the employer’s responsibility to educate employees on how to maintain the integrity and security of PHI.
When an organization is authorized to process, use, distribute, or access PHI, it qualifies as a BA under HIPAA regulations. A quick rule to remember with your business associates: You must have a compliant BAA before sharing PHI. A HIPAA Business Associate Agreement is the easiest way to protect your practice or organization in case of a breach.
If you are unsure whether your organization is a covered entity or a business associate, it is best to assume that you are subject to HIPAA requirements and that the information you are processing is PHI unless you know otherwise.
What is a Business Associate Agreement (BAA)?
Business Associate Agreements contain information about the permitted and prohibited uses of PHI between two HIPAA-subject organizations, including relationships between CEs and BAs and relationships between two BAs. Business associate agreements should be rigorously checked against HIPAA rules to ensure they cover everything that is expected of them.
Business partners should be made aware of the consequences of not complying with HIPAA requirements. Regulators can directly impose penalties on BAs that violate HIPAA. Therefore, before signing, it is crucial to ensure that the BAA covers all aspects of the employment relationship under HIPAA rules and regulations.
Who needs a Business Associate Agreement (BAA)?
Any business associate who handles PHI or ePHI during the work they are hired to do requires a business associate agreement. BAs usually do not have direct contact with patients but often deal with large amounts of health data. Below is a short list of some of the most common examples of business associates we see in the market:
● Medical billing services
● Practice management
● Cloud storage providers
● Physical storage providers
● EHR providers
● Translator services
● Shredding services
● File sharing vendors
● Accounting or consulting firms
● IT vendors
● Cloud vendors
● Consultants hired to conduct audits, perform coding reviews, etc.
● Lawyers
● Medical equipment service companies handling equipment that holds PHI
It is important to note that business associates may only use PHI provided by covered entities to assist them in performing healthcare functions. BAs may not use PHI for independent uses or purposes, such as marketing or commercial activities unrelated to their partnered CE.
Who is exempt from Business Associate Agreements (BAAs)?
The vast majority of organizations handling PHI must sign BAAs with only a few exceptions:
● Other healthcare providers, when PHI is shared for treatment purposes
● Health plans such as Medicaid
● Health plan sponsors (such as an employer)
● Internet service providers (such as your cable company)
● US Postal Service
● Other courier services
How to define liability in a Business Associate Agreement (BAA)?
BAA helps ensure HIPAA compliance and creates a bond of accountability among partnering organizations. If either party discloses PHI violates the BAA, the other party can take legal action. Without a BAA, incomplete, or in serious breach of agreement, both entities could find themselves in the crosshairs of the Department of Health and Human Services, the Office for Civil Rights, and even the Department of Justice.
Good business partner agreements protect both parties in the event of a breach, so it is in your best interest to ensure they are executed in the correct language.
A good BAA must first include confirmation that the organization issuing it is committed to complying with HIPAA regulations. It must also have proof that the organization signing the BAA is committed to complying with HIPAA regulations. It is reasonably intuitive: if two organizations agree that they fall under HIPAA, they cannot be exempted from liability by claiming they do not have to comply with HIPAA regulations.
A good HIPAA business associate agreement also serves the vital function of protecting the organization from liability in the event of a breach. If any party is responsible for a protected health information breach, the BAA shall clearly hold that party accountable and define it using appropriate language.
In some OCR investigations where the BAA was not correctly implemented, covered entities unrelated to the breach that triggered the investigation were held liable for data loss. Not only are BAAs required by federal regulations, but they are also in the best interest of protecting your organization’s reputation.
What are the most common BAA mistakes?
As with anything related to HIPAA, it takes a lot of work to become and remain compliant. Let’s look at common BAA problems that affect healthcare organizations.
Unaware that PHI passes through a service
Let’s take email as an example. A CE sending PHI to a patient is not asking their email service to hold on to data but to pass it on to the recipient. However, the email provider still holds the sensitive health data for a time, so there must be a signed BAA outlining who is responsible for the PHI during the transfer. Healthcare companies must be aware of all services that might have access to PHI, even if they don’t actively hand it over.
Using a template BAA without adjustment
Be sure to choose and adjust a BAA template that meets the needs of your practice or business. For example, a BAA written for a large medical institution may not be suitable for a small private practice. Remember, BAAs also address your responsibilities in the relationship. When you sign a BAA, make sure you know what you agree to.
Signing a BAA without due diligence
Signing a BAA is the final step to confirm cooperation with a new business. It’s vital to perform due diligence, vet, and research a potential partner to ensure they are willing and able to protect your PHI.
For example, you can start by asking about their risk assessments, safeguards to protect PHI, policies and procedures, history of any data breaches, and how they dealt with them. The research may seem like a lot of extra work, but it’s worth ensuring that the company you hire can deliver on its security promises.
Expecting HIPAA compliance by signing a BAA
Companies are not automatically HIPAA compliant if they have a signed BAA. In the event of a violation, the BAA will likely help you get covered. However, if it becomes apparent that you haven’t researched your partner, you could be liable. It’s essential to make sure the other party lives up to its promise to protect customer information.
Conclusion
As the cyber threat landscape evolves and the privacy and security of patient data become more critical, healthcare organizations are increasingly turning to third parties to manage large volumes of PHI. A comprehensive BAA is crucial to the compliance, security, and privacy of any individual, business, or other organization that has PHI derived from a Covered Entity. It describes the relationship between the two parties and protects them in case of a breach.
HIPAA has significant implications for affected companies and business partners, but by adhering to software security standards, healthcare providers can reduce internal and external threats to their PHI. However, lack of encryption, insecure communication channels, and inconsistent access controls are common problems with medical software. Even something as trivial as a push notification can lead to a HIPAA violation, and developing secure and HIPAA-compliant software is always a challenge.
At Itirra, we know how to build secure software for healthcare companies that need it. Our team has extensive experience in building comprehensive healthcare solutions. Contact us today to learn how to achieve and maintain HIPAA compliance while building software for your business.