What is a Business Associate Agreement and Why is it Important for HIPAA?
Software and cloud providers are becoming a major part of healthcare infrastructure. As demands for data storage, analytics, collaboration, and telehealth treatment increase, healthcare providers are relying on MSPs and CSPs to help them stay up-to-date and compliant while respecting the privacy of their patients.
If you’re a vendor who wants to work in the healthcare industry as a Business Associate, it’s not enough for your partners to stay compliant. Under HIPAA rules, you must have an agreement in place with any healthcare provider you partner with that places you under HIPAA regulations as well.
Covered Entities and Business Associates in HIPAA Regulations
The Privacy Rule outlines the specifics of HIPAA compliance: what protected data is, the responsibilities of healthcare organizations handling that data, and what steps they need to take to manage their compliance and assess risk.
Another important aspect of this rule, and from the introductory material of HIPAA in general, is how it defines responsible parties. In this case, the two most prominent parties in any HIPAA compliance situation are Covered Entities and Business Associates.
- Covered Entities (CEs): CEs are defined by HIPAA as Health plans, healthcare clearinghouses, and healthcare providers who collect, store, or transmit Personal Health Information (PHI). Any manner of data handling or transmission that includes PHI situates these organizations as CEs. They use PHI for treatment, research, insurance provisioning, and billing.
- Business Associates (BAs): These organizations supplement for or partner with CEs but do similar work. So, for example, a hospital might be a CE handling patient data, and they work with a billing and finance firm that handles their PHI for payments. That firm is considered a BA with specific legal responsibilities.
These definitions can be somewhat fluid. A healthcare logistics or IT company will most likely not be a Covered Entity like a hospital. A hospital, or parts of a provider, can offer additional services to other CEs, in which case they are also a Business Associate.
Any company that enters into a working relationship with a Covered Entity as a Business Associate must have a working Business Associate Agreement (BAA).
What is a Business Associate Agreement?
For HIPAA compliance, all CEs must have a BAA with any Business Associates that will handle, store, or come into contact with PHI.
In general terms, a BAA creates a legal relationship between CAs and BAs that is enforceable under HIPAA regulations. Any third-party company or professional that does not work for a CE but that works with a CE handling PHI must sign a BAA. Failure to have one in place can result in extensive finds and other penalties for both the CE and the BA.
Who can fall under the designation of “Business Associate”?
- A financing and payments processing company handling patient payment and billing information on behalf of a hospital or clinic.
- A managed service provider (MSP) hosting technical utilities that manage PHI for a hospital, clinic, or insurance company.
- A cloud service provider (CSP) serving as a backup storage solution for patient records with a hospital network.
- Contract website developers building intranet websites who may come into contact with PHI.
- Email providers hosting or transmitting emails outside a hospital firewall infrastructure.
While these are some examples, they are by no means exhaustive. If your business comes into contact with PHI, you are essentially functioning as a business associate.
The HIPAA Omnibus Rule
Before 2013, Business Associates had certain legal liabilities under a BAA, including their responsibility to secure and protect PHI under the HIPAA Privacy, Security, and Breach Notification Rules.
In 2013, however, the Department of Health and Human Services (HHS) published the final revision of the Omnibus rule, which fundamentally reshaped several portions of HIPAA regulations. One of the biggest changes to HIPAA was the impact on Business Associates and BAAs.
After the Omnibus rule tool effect, the following changes were made part of HIPAA guidelines:
- All CEs and BAs had to revise their BAAs to incorporate the new requirements.
- All Business Associates faced new requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. Part of this was including extended breach notification rules for BAs, namely notifying any CE they worked with of a data breach.
- The definition of a Business Associate was also expanded to include companies that support Covered Entities in any capacity that discloses PHI. That is, prior to the Omnibus Rule, only companies that actively managed PHI was considered BAs, whereas after 2013 any associated firm that even touched PHI as part of their operation were subject to HIPAA compliance.
- Following those extensions of definition, liabilities, responsibilities, and penalties for HIPAA compliance and non-compliance were subsequently extended to cover BAs under their Business Associate Agreements.
- Finally, subcontractors for BAs were defined as subject to HIPAA requirements as well and had to enter individual agreements with the Business Associate independent of the CE.
The Use and Impact of Business Associate Agreements
Business Associate Agreements are a necessary part of doing business in the healthcare industry. Consider the following examples:
- Service providers like Microsoft and Google provide enterprise-level products (email, cloud storage) that are incredibly important for healthcare businesses large and small. Both Microsoft and Google have BAAs that they require of any CE they enter into an agreement with. This includes any CE or BA using email, cloud storage, or productivity tools that in any way come into contact with PHI.
- Pharmacies using POS software on a cloud platform or processing patient information through a third-party supplier must have BAAs in place for those relationships.
- A law firm representing a hospital or clinic must have a BAA in place with each client they serve if they are to use or disclose PHI as part of their job.
The BAA outlines the fact that the Business Associate is bound by the Privacy, Security, and Breach Notification Rules of HIPAA. That means that they must:
- Protect the privacy, security, and integrity of PHI in their custody.
- Provide adequate physical, administrative, and technical safeguards for any PHI they store or transmit.
- Notify their associated CE in the event of a data breach involving PHI.
- Assess risk related to their data infrastructure as it relates to HIPAA compliance.
This means that BAs are liable under HIPAA for penalties and other punishments for non-compliance. These penalties can range from $100 per incident to a minimum of $50,000 per incident involving willful neglect.
These agreements can also include additional liabilities, requirements, and responsibilities that fall under different legal jurisdictions.
Likewise, CEs and BAs can still face penalties for not having a BAA on file. In 2017, the Center for Children’s Digestive Health, a small clinic for-profit clinic in Chicago, was hit with over $30,000 in fines when a compliance audit of their Business Associate showed that neither party had a BAA on file.
HIPAA compliance is a serious issue and maintaining compliance when working with Business Associates can get tricky. Make sure that you have a clear understanding of your Business Associates, that you trust their compliance efforts, and that those efforts are spelled out in a BAA for your protection and the protection of your patients’ PHI.
Lazarus Alliance supports companies working in the healthcare industry with expert audits of HIPAA compliance, as well as additional consulting and support for continued HIPAA maintenance. To learn more on how Lazarus Alliance can help you pursue your NIST 800-66 HIPAA attestation, please call us at 1-888-896-7580 or through the form below.