With the continued growth of healthcare data and a higher degree of interoperability between provider systems, HIPAA covered entities will need to form partnerships with other organizations to ensure the security of their data assets. These partnerships are known as business associate agreements (BAAs).
But what exactly are HIPAA business associates? Are they held to the same healthcare privacy and security requirements as covered entities? What happens when they violate their obligations?
In this primer, HealthITSecurity.com takes a deeper look at these essential members of the healthcare security ecosystem and explains why HIPAA business associate agreements are vital to healthcare organizations.
What is a BAA?
Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate, according to HHS.
This individual or organization may also provide services to a covered entity. Examples include a consultant who does hospital utilization reviews or an attorney who has PHI access as he provides legal services to a healthcare provider.
Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions.
However, there are exceptions to the business associate standard, HHS says, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”
These exceptions include but are not limited to the following situations:
- Disclosures by a covered entity to a healthcare provider for treatment of the individual
- PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
- Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
- With individuals or organizations that are a conduit for PHI, like the US Postal Service
Once a covered entity has identified their applicable business associates, it is necessary to ensure that these third-parties will only use any provided PHI in a secure and established manner.
“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS maintained on its website.
Here is where business associate agreements, or business associate contracts come into play.
Understanding the intricacies of business associates and BAAs
The HIPAA Omnibus Rule changed how business associates are expected to maintain PHI security.
“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
Business associates can also now be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach.
A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to [OCR].”
A sample business associate agreement can be found on HHS’ website here.
- 3 Critical Steps for Managing Third Party Access to your EHR
- PHI Access Challenges Addressed in Recent OCR Resources
The rise of cloud service providers as business associates
As more healthcare providers start to utilize cloud services, the issue of cloud service providers (CSP) as business associates is becoming more complex. Both covered entities and business associates need to understand how they can take advantage of cloud options while still maintaining HIPAA compliance.
HHS released more detailed guidance on cloud computing, CSPs, and business associates in 2016 to help clarify potential confusion.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance states. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
HHS also suggested a service level agreement (SLA) to address more specific business expectations between the CSP and its customer. The provisions could potentially cover the following areas:
- System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.
However, HHS noted that a CSP is considered a HIPAA business associate even if it only stores encrypted ePHI and does not have a decryption key. HIPAA regulations still define an entity as a business associate even if that organization cannot actually view the ePHI it is maintaining for a covered entity or other business associate.
Encrypting ePHI reduces the risk of potential exposure, but it cannot on its own “safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.”
“Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations,” HHS maintains.
Providers will need to seek out secure and compliant cloud service providers on their own. OCR will also not assist healthcare organizations that are trying to find cloud services that are reportedly HIPAA compliant.
“OCR does not endorse, certify, or recommend specific technology or products,” the guidance says.
While HHS and OCR offer guidance on how covered entities and business associates can utilize cloud computing, those healthcare organizations should still perform their due diligence when seeking out secure options. From there, crafting an applicable business associate contract, BAA, or SLA will be necessary to guarantee that all parties understand what is expected in terms of PHI security.
- Are Third Parties Compromising Healthcare Data Security?
- Utilizing Cloud Computing for Stronger Healthcare Data Security
What happens when BAs violate HIPAA regulations?
Business associates can be held liable for PHI exposure. Whether the partners involved lack a business associate agreement or a business associate simply falls victim to a ransomware attack, these organizations must also ensure they stay HIPAA compliant.
In April 2017, the Center for Children’s Digestive Health (CCDH) agreed to a $31,000 OCR HIPAA settlement after it was found that CCDH did not have a BAA with FileFax, Inc., a patient information storage provider.
An August 2015 compliance review was instigated after FileFax had been investigated.
“While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015,” according to OCR.
Furthermore, OCR found that the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax's satisfactory assurance.”
Minnesota-based North Memorial Health Care also learned the hard way why it is essential to properly identify business associates.
The hospital failed to identify Accretive Health, Inc. as a business associate, and agreed to a $1.55 million OCR HIPAA settlement in 2016.
North Memorial filed a breach report in September 2011 when an unencrypted, password-protected laptop was stolen from an Accretive member’s locked vehicle. The report stated that the ePHI of 9,497 individuals was possibly impacted.
OCR also found that North Memorial did not “complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure.”
Not having a BAA also led to an OCR HIPAA settlement for Care New England Health System (CNE).
OCR determined that Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity, and had lost unencrypted backup tapes that held the ultrasound studies of approximately 14,000 individuals.
This led to a $400,000 settlement, along with the requirement that CNE adhere to an OCR corrective action plan.
CNE was also allowed “to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA.”
“From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI,” OCR explained.
Both covered entities and business associates will benefit from having a current and comprehensive BAA in place. This way all parties understand how they are expected to store, transfer, and handle PHI and other sensitive information.
Additionally, BAAs will help ensure HIPAA compliance and prove to OCR that necessary steps were taken to keep data secure should an investigation ever need to take place.
- Why Lacking Risk Assessments May Lead to OCR HIPAA Settlements
- Are Business Associates Unprepared in Health Data Protection?
Identifying BAAs and reviewing the business associate relationship
Healthcare providers should not hesitate in reaching out to a third-party knowledgeable on business associate agreements to ensure that a thorough business associate agreement has been established.
For example, a lawyer who practices in the healthcare IT privacy and security space should understand the intricacies of HIPAA and understand what needs to be in place in a proper business associate agreement.
HHS also suggests the following resources for healthcare providers that want to know more about the HIPAA Privacy and Security Rules in general, beyond just business associate agreements:
- ONC’s Guide to Privacy and Security of Electronic Health Information
- State Attorneys General offices
- Medscape members’ Patient Privacy: A Guide for Providers
A thorough knowledge of HIPAA regulations will help providers understand the business associate relationship. Utilizing available tools and resources can also help organizations create applicable business associate agreements that will work toward PHI security.