When healthcare companies sign up for a HIPAA-compliant IT environment with a Cloud Hosting service, that outside organization is acting as a business associate according to the guidelines of HIPAA. In order to legally work with that organization and still follow the stipulations of the Act, medical businesses must sign a contract with the service (as with any outside party serving in a similar role) called a business associate’s agreement (BAA). Many companies do not understand why they need a BAA and what exactly is involved. Here, below, are the details.
How the BAA fits in – basic HIPAA elements & definitions
First, a brief review of HIPAA and its primary component parts allows us to place the business associate’s agreement in context.
The vast majority of healthcare companies must abide by the parameters of the Health Insurance Portability and Accountability Act (HIPAA), an Act passed by the United States Congress in 1996 that safeguards American citizens’ health data. The data that falls under the auspices of the law – as governed by the Department of Health & Human Services (HHS) – is designated, collectively, as protected health information (PHI).
PHI is typically handled by covered entities. Organizations in that category include healthcare providers, healthcare plans, and healthcare clearinghouses. Examples of each type of HIPAA-compliant organization are as follows:
- providers – doctors, dentists, nursing homes, pharmacies, etc.
- plans – health insurance companies, HMOs, Medicare, Medicaid, etc.
- clearinghouses – transcription services, etc..
Any of the above organizations necessarily handle PHI as a central responsibility of their business. The Privacy Rule and Security Rule of HIPAA require covered entities to protect patient data from loss, theft, or any other misuse.
A covered entity can choose to work with a business associate, outsourcing certain aspects of operations to a trusted third party. In order to appropriately place responsibility into the hands of the external organization, both companies must agree to the terms of a BAA. By signing the agreement, the business associate agrees to safeguard PHI and to perform its obligations to the covered entity within the guidelines of HIPAA.
Characteristics of a HIPAA BAA
According to the HIPAA guidelines, a BAA must do the following (as discussed by healthcare video-conferencing company SecureVideo in a 2013 article):
- describe the specific ways in which PHI is being used (transferred, processed, and/or stored) by the business associate, along with any ways in which they are being contracted by the covered entity to disclose PHI;
- establish that the business associate cannot use or disclose any health data beyond the purposes established in the agreement, except in special cases when cooperating with law enforcement;
- dictate that the business associate must have strong, proven protections established that disallow any malicious or otherwise unlawful PHI disclosure, use, or access – one part of which is the electronic means stipulated by the HIPAA Security Rule (including VPN capability and SSL encryption within a firewall-secured private network);
- stipulate that the business associate must immediately notify the covered entity if PHI is used or disclosed in a manner that goes beyond the parameters established in the agreement, such as in the event of a data breach;
- direct the business associate that it must protect data but also make it readily available, so that individuals can get access to their medical records as established by the law and have the ability to revise their PHI according to the amending/accounting guidelines set forth in HIPAA;
- outline the business associate to follow the Privacy Rule of HIPAA (to whatever degree the covered entity is entrusting the business associate to handle privacy-related activities);
- state that the business associate must allow the Department of Health & Human Services access to its policy documents and all accounting files that pertain to PHI use and disclosure – whether the applicable data is obtained directly from the covered entity or representing its interests – so that the US government can properly determine compliance;
- delineate the need for the business associate to return any PHI to the covered entity or to completely delete all PHI data – whether that data was obtained via the covered entity or in the business associate’s capacity as its representative – if and when the agreement between the two parties ends, if such return or deletion is possible and reasonably accomplished;
- hold the business associate responsible for its relationship with subcontractors who may additionally be exposed to PHI, so that they are held accountable with the same requirements that pertain to the business associate; and
- allow the covered entity to cancel the agreement at any time if the business associate is in noncompliance with any of its stipulations.
Working with a HIPAA compliance expert
When working with business associates on an IT infrastructure or for other means, healthcare organizations are best served by companies with long and established histories of expertise. Atlantic.Net, in business for 20 years, serves Complete Healthcare Solutions and numerous other medical clients with customized HIPAA-Compliant Hosting architectures.
By Brett Haines