Who Needs HIPAA Business Associate Agreements?
Who Needs HIPAA Business Associate Agreements?
If you’re a health care provider or a vendor in the health care space, you need to understand your HIPAA Business Associate Agreement requirements to keep your business safe!
A HIPAA business associate (BA) is any individual or entity that may encounter protected health information (PHI) through business dealings with covered entities (PHI is any demographic information that can be used to identify a patient). Under HIPAA, employees within your organization are not considered business associates. However, some examples of individuals and technologies that are considered HIPAA business associates include lawyers, billing companies, web hosting services, and email encryption services, to name a few. By extension, HIPAA business associates who do businesses with your own BAs are considered “subcontractors” under HIPAA and create a chain of organizations who may encounter PHI for a wide variety of reasons.
In certain cases, individuals or entities other than BAs may encounter PHI. Cleaning companies, for example, do not qualify as BAs, but they may come across patient information while performing their duties. In this example, imagine that documents containing PHI are left on a desk or found while emptying the trash. Instead of executing a BAA with this cleaning company, you would instead execute a HIPAA confidentiality agreement. You should execute a HIPAA confidentiality agreement with any organization or individual on your staff, or anyone hired to perform a task who may accidentally encounter PHI.
Entering into a Business Associate Agreement (BAA)
Business associate agreements are mandatory as per the HIPAA Privacy Rule. A BAA will outline what BAs can and cannot do with the PHI they access, how they will protect that PHI, how they will prevent PHI disclosure and the appropriate method for reporting breaches of PHI should such a breach occur.
If you are the covered entity, you are required to sign a BAA with your HIPAA business associate, and your HIPAA business associate will sign a BAA with any subcontractors they do business with. Covered entities are not required to sign a BAA with those subcontractors–that responsibility rests solely with HIPAA business associates.
When is a BAA Required?
A BAA must be executed between the entities or organizations in question before ANY PHI may be shared, exchanged, or transmitted between those organizations. This is essential to protect the confidentiality and integrity of patients’ PHI, in addition to protecting both organizations from potential liability in the event of a data breach or HIPAA violation.
A BAA is required if:
- You are a “covered entity.” You are considered a covered entity if your business dealings are to provide treatment for physical and/or mental health, you provide medical or health services, you bill or are paid for health care services, or you are a health care clearinghouse or insurance plan;
- You are a HIPAA business associate that provides services to a covered entity and come into contact with the covered entity’s PHI;
- You provide services to a HIPAA business associate that involve PHI.
Consequently, a BAA with a vendor is also required if:
- Your vendor is involved in creating, sending, storing, or receiving PHI;
- Your vendor’s services require that you disclose PHI to the vendor;
- Your vendor accesses your PHI on a regular basis.
Why is a BAA Required?
Unfortunately, if you don’t have proper BAAs in place, you are not HIPAA compliant. There must be an understanding between covered entities, their HIPAA business associates, and any subcontractors about the risks posed by a PHI breach and the role that each organization or individual plays in protecting PHI.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) considers it violation of the HIPAA Privacy and Security rules to do business with a contractor without a business associate agreement in place first.
HIPAA violations can be detrimental to your hard-fought reputation and come with serious HIPAA fines. With a BAA in place, you can be confident that any data breach caused by your HIPAA business associates will be properly remediated.
Two Key Considerations
When entering a BAA, the stipulations outlined should be consistent with your responsibilities to your patients or clients. You should pay careful attention to indemnification, cooperation, and breach notification and mitigation, as these are most likely to impact covered entities. Always have an attorney review the language of your BAA if you need clarification.
If state law sets stricter requirements for protection of PHI than federal HIPAA regulation, the language of your BAA must ensure that state law takes precedence. In general, if state laws are stricter than federal laws, state law preempts federal law.
Cloud Providers as Business Associates
If cloud services are transmitting or storing PHI on behalf of health care providers, a business associate agreement is required. Although the cloud service providers (CSPs) like Amazon Web Services and Dropbox may not be aware that they are storing PHI, OCR has determined that even when CSPs store encrypted electronic PHI, they are still HIPAA business associates.
Healthcare organizations should conduct a risk analysis and set up risk management rules when using CSPs. They should also review their use of CSPs and create business associate agreements that align with how the healthcare provider interacts with ePHI.