The current COVID-19 epidemic has a lot of healthcare providers turning to telemedicine to treat their patients. As the industry grows, healthcare providers are sharing more patient data, which means this information is also shared by their systems. To comply with HIPAA rules, organizations need to make sure that their partner organizations will protect patient data and maintain its security.
Organizations that commit to working together as partners must institute business associate agreements (BAAs). But what does a BAA entail? Who is considered a business associate? Who needs to have a BAA in place to be HIPAA compliant? What happens if there’s a breach?
BAAs are a vital piece of the healthcare security system, and there are few critical things you must know before putting one in place.
The particulars of BAAs
According to the HIPAA Security Rule, a BAA establishes “national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”
Essentially, the BAA is a formal agreement between two organizations — a “covered entity” and a “business associate” — stipulating that both will maintain the security, privacy, and integrity of patients’ health data, or their protected health information (PHI).
A BAA outlines what uses of PHI are allowed or forbidden between the two signed parties, and what each will do to ensure they protect and safeguard patient data. Covered entities that must sign BAAs with business associates include but are not limited to
- Health insurance companies
- Nursing homes
What is a business associate?
The HIPAA Privacy Rule applies only to covered entities like those mentioned above, which are in daily contact with PHI. However, there are innumerable third-party companies that support their services and activities. This includes software companies, data storage companies, and many others. Under HIPAA, these are considered “business associates,” and they have certain obligations too.
The Department of Health and Human Services defines a business associate as “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.”
It also includes any subcontractor that produces, stores, uses or shares PHI on behalf of another business associate.
For example, if you’re a healthcare provider who is using Zoom to conduct telehealth services, you need to have a signed BAA with Zoom — the business associate — in order to transmit PHI and be HIPAA-friendly. Other examples of business associates include
- A third-party administrator who conducts claims processing for a health plan
- An independent transcriptionist who helps a physician with transcription services
- The benefits manager of a pharmacy who manages the pharmacist network of a health plan
What if a BAA is breached?
The purpose of a BAA is to protect organizations from liability in the event of a breach. If one of the two parties is responsible for a breach of PHI, then the BAA should clearly hold that party responsible. Not having a BAA can cost your organization not just your reputation and the trust of your patients but also a lot of money.
In 2017, the Center for Children’s Digestive Health was found to be in violation of HIPAA and forced to pay a $31,000 fine. An OCR (Office of Civil Rights) compliance review revealed that the health provider had used the data storage services of a third-party business associate, FileFax Inc, and neither company had signed a BAA. The PHI of over 10,000 individuals had been shared with FileFax, without the proper BAA for HIPAA compliance features.
In another case from 2016, North Memorial Health Care of Minnesota, received a $1.5 million HIPAA fine when it failed to disclose Accretive Health Inc. as a business associate. When the laptop of an Accretive employee was stolen, the PHI of nearly 10,000 North Memorial patients was exposed.
Further investigation revealed that no BAA had been signed between the two entities, and North Memorial had to pay the hefty settlement as well as put in place a corrective action plan to ensure such a breach couldn’t happen again.
Moving forward with BAAs
Because a BAA is a legally binding agreement, it’s prudent to reach out to a third party knowledgeable about BAAs and healthcare IT/security to ensure that your agreement is thorough. A good BAA will protect both parties in the case of a breach, and it’s worth investing in a lawyer who can ensure proper language is included.
The goal is to ensure not only HIPAA compliance but also the security of your patient’s PHI — and their trust in you and your organization.