Compliance Standards

If your organization provides services to healthcare entities, such as IT support, cloud storage, billing, or legal services—you may be legally required to sign a HIPAA Business Associate Agreement (BAA).

This agreement ensures that your organization complies with the Health Insurance Portability and Accountability Act (HIPAA) when handling or accessing protected health information (PHI).

Entering into a BAA means committing to partial or full HIPAA compliance, which includes conducting risk assessments, implementing security controls, and maintaining appropriate data protection policies.

Are you ready to fulfill the requirements of a HIPAA BAA? Schedule a consultation to find out!

HIPAA Business Associate Agreements 101

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to define and safeguard protected health information (PHI). It applies primarily to covered entities within the healthcare field. However, it also contractually requires business associates to safeguard PHI.

Understanding and staying compliant as a business associate requires knowing:

• What a HIPAA business associate agreement is and to whom it applies
• Which requirements fall on parties to a business associate agreement
• What can happen if a business associate agreement is broken 

The big takeaway of business associate considerations under HIPAA is that the regulation applies beyond the boundaries of healthcare to many stakeholders adjacent to the industry.

What is a HIPAA Business Associate Agreement?

A HIPAA Business Associate Agreement (BAA) is a legally binding contract that requires business associates to follow certain HIPAA compliance standards.

These associates, such as IT providers, billing services, or consultants, must either fully comply with HIPAA or support their covered entity partners in maintaining compliance.

The HIPAA BAA extends HIPAA’s privacy and security requirements beyond healthcare providers, ensuring that any third party with access to protected health information (PHI) also handles it responsibly.

These agreements are mandated and regulated by the Department of Health and Human Services (HHS) as part of HIPAA’s goal to safeguard patient data across the entire healthcare ecosystem.

To fully understand why these agreements are necessary, it’s important to know what qualifies as PHI. Protected health information includes any data that identifies an individual in connection with their physical or mental health, treatments received, or healthcare payments, whether in full documents or individual data points.

HIPAA Covered Entities and Business Associates

Business associate contracts are made between covered entities and their business associates, requiring the latter to (at minimum) help the former meet their HIPAA requirements. As for who these parties are, the HHS has established three categories of HIPAA covered entities:

• Healthcare providers, such as hospitals, pharmacies, and doctors
• Health plan entities, such as administrators and insurance companies
• Healthcare clearinghouses that process standardized health information

Business associates are any organizations that work with these entities in a way that requires them to come into contact with PHI.

There is no explicit restriction on which kinds of partners are considered business associates, but common examples include third-party administrators, accounting and legal services providers, consultants, and benefits managers working on plans.

Covered entities are the parties who produce, use, and otherwise come into contact with PHI the most. Business associates also come into contact with it regularly, so it applies to them too.

Business Associate Agreement HIPAA Requirements

HIPAA explicitly requires covered entities who work with business associates to operate under a business associate contract.

The specific requirements for what it must include are sparse, so covered entities have discretion over the particular terms. The only guarantee is that the contract ensures a business associate helps the covered entity ensure HIPAA compliance.

Under a business associate contract HIPAA can essentially apply to business associates as though they are HIPAA covered entities.

The practical upshot is that business associates need to prepare for HIPAA compliance just like covered entities to avoid any future complications.

Privacy Rule Requirements for Business Associates

The HIPAA Privacy Rule is the first and most fundamental part of the entire HIPAA framework. It defines both PHI and covered entities, along with their (and their business associates’) essential responsibilities with respect to safeguarding PHI.

Namely, PHI needs to be made available to its subjects (persons identified within the PHI) at their request. But it also needs to be protected such that no unauthorized disclosures or uses, except for a set of permitted ones, can happen.

Some practical examples of permitted disclosures include using limited data sets for approved research or making certain information available for disease prevention or other public benefits.

See the HHS’s summary of the Privacy Rule for a comprehensive list of permitted PHI uses.

Security Rule Requirements for Business Associates

The Security Rule builds on the Privacy Rule, adding specific controls organizations need to apply to ensure the confidentiality, integrity, and availability of PHI.

There are two major kinds of measures the Security Rule requires covered entities and business associates to implement.

The first prescriptive requirement is programmatic risk analysis and management, including regular risk assessments that document, address, and ideally neutralize threats to PHI.

The other prescriptive requirement is implementing three sets of safeguards:

• Administrative safeguards

• • • Formalizing security management processes
    • Assigning security personnel and responsibilities
    • Systematizing information access management
    • Providing workforce training and management
    • Conducting evaluations related to PHI security

• Physical safeguards

• • • Limiting and controlling access to facilities
    • Limiting and controlling access to devices

• Technical safeguards

• • Installing system-wide access controls
  • Conducting and logging security audits
  • Ensuring integrity and change management
  • Securing PHI for network transmission

Originally, these protections applied only to electronic PHI (ePHI), but the HITECH Act extended its requirements to all PHI that covered entities and business associates come into contact with.

Breach Notification Requirements for Business Associates

Covered entities and business associates also need to comply with the Breach Notification Rule, which requires monitoring and communication infrastructure to be in place to report on breaches as swiftly as possible.

HIPAA considers a breach to have happened if identifiable PHI is accessed without authorization in any way beyond the permitted uses and disclosures.

If a breach has occurred, the covered entity or business associate who becomes aware of it needs to provide notice to one or more parties.

In particular, notice needs to be given to all pirates impacted by the breach. The secretary of the HHS must also be notified. And, if the breach impacts 500 or more people, media outlets serving their community must be notified.

If the breach is discovered by the business associate, their responsibility may be to provide these notices or to inform the covered entity proper to handle other required notices.

The business associate agreement will detail all specific responsibilities related to this rule.

The Stakes of Business Associate Compliance

Unlike some other regulatory contexts, HIPAA does not require a certification assessment to affirm compliance. Instead, the HHS mandates that organizations operating in the field are HIPAA compliant, and assessments happen if a breach or other non-compliance incident occurs.

If a covered entity (or business associate) is found to be in violation, one or both parties may be subject to HIPAA enforcement, including fines and criminal charges.

In particular, business associate contracts often distribute the liability for noncompliance issues between the business associate and covered entity, depending on the responsible party for the particular data breach or incident in question.

In practice, causing a HIPAA violation might be a breach of contract, and it can open the business associate up to the HHS’s enforcement arm.

To avoid these possibilities, covered entities and business associates are encouraged to work with third-party HIPAA advisors and assessors to optimize all elements of their cyberdefenses.

Achieve and Maintain Compliance

If your organization works directly in healthcare, or it partners with other organizations that are covered entities, you may need to comply with HIPAA—or at least help a partner comply. If that’s the case, you’ll need to ensure that your cyberdefenses meet HIPAA standards.

RSI Security has helped countless organizations in and adjacent to healthcare comply with HIPAA. We know that the right way is the only way to keep sensitive data and patients safe.

Protect your organization from costly HIPAA violations, download our   HIPAA Checklist today to ensure you’re fully compliant

 Download Our HIPAA Checklist

If your organization needs to comply with HIPAA, you’ll need to safeguard protected health information (PHI) and keep an eye out for:

• Identifiable records related to patients’ health conditions
• Identifiable records related to the provision of healthcare services
• Identifiable records related to payments for healthcare provided
• Methods for de-identifying PHI to lessen the scope of compliance
• Approaches to comprehensive HIPAA compliance implementation

Example #1: Records of Patients’ Health Conditions

The Health Insurance Portability and Accountability Act (HIPAA) exists to ensure that protected health information (PHI) is safeguarded. The kinds of information that can qualify as PHI are defined in the Privacy Rule.

The first of these is any record that contains or pertains to an individual’s past, present, or future health conditions—including physical and mental health.

The first example is the most straightforward and involves the least abstraction. Records that contain identifiable information about a patient (i.e., their name—see below) alongside any information about their health conditions can qualify as PHI.

One common pitfall in this respect is the mishandling of demographic data pertaining to individuals’ disabilities. Even if collected or used in good faith, this information needs to be safeguarded to protect these individuals’ rights.

Example #2: Records of Healthcare Services Provided

Closely related to the example above, yet distinct from it, PHI includes all records of healthcare services provided to an individual. The distinction is that the first example specifically hinges on whether or not a person is being identified alongside a condition (permanent or otherwise). But, in this case, a document is PHI if it associates an individual with a procedure they’ve received.

Common examples of service-provision PHI documents include:

• Records of medical procedures performed (i.e., operations)
• Records or notes pertaining to ongoing treatment (i.e., therapy)
• Records of medications or supplements prescribed or recommended

Any organization that is subject to HIPAA needs to de-identify and/or protect these kinds of documents, and any traces of this kind of information. See below for guidance on how.

Example #3: Records of Payment for Healthcare Services

In addition, according to the HIPAA Privacy Rule protected health information includes records of past, present, or future payment made in exchange for the provision of healthcare. If #2 is an abstraction of #1, this type of PHI further abstracts the individual from their health concerns, qualifying a document as PHI if it associates an individual with a payment made for healthcare.

One common instance of payment information qualifying as PHI under HIPAA is credit card and other transaction records being maintained digitally. Often, records of this nature are kept for standard bookkeeping or even for compliance with other regulatory frameworks.

However, if they include patients’ names and other identifiable criteria, they may qualify as electronic protected information (ePHI). If so, they need to be de-identified and/or safeguarded.

How to De-Identify PHI for HIPAA Compliance

Under HIPAA protected health information needs to be treated such that, if it were leaked or otherwise fell into the wrong hands, the individual it concerns could not be identified by it.

The Department of Health and Human Services (HHS) prescribes two de-identification methods:

• Expert Determination – An individual with substantial knowledge and training in threat and statistical modeling is able to demonstrate a negligible degree of identification risk.

• Safe Harbor – All categories of identifiable information (names, locations, dates, contact information, ID and related numbers, possessions, etc.) are removed from documents.

Organizations subject to HIPAA, including both covered entities and their business associates, should utilize one or both methods as much as possible to minimize the scope of identifiable PHI within their systems. HIPAA data breaches concern identifiable PHI exclusively.

How to Safeguard Identifiable PHI for HIPAA Compliance

All protected health information, identifiable or not, needs to be safeguarded according to HIPAA’s prescriptive rules. The Privacy Rule, noted above, requires controlling use and disclosure and preventing all but a select set of permitted disclosures while also ensuring information subjects have the ability to access PHI about or concerning them on demand.

The Security Rule augments the Privacy Rule, adding proactive protections and controls that organizations need to install. These include administrative, physical, and technical safeguards, along with programmatic risk assessments that often necessitate the use of penetration tests.

Finally, there is the Breach Notification Rule, which requires monitoring and communication infrastructure to identify and report on any breach of identifiable PHI as soon as possible.

Streamline Your HIPAA Compliance Process

Critically, PHI is a relatively wide category of information that includes both health-specific documentation and more generalized records, such as payment data.

Organizations in and adjacent to healthcare need to be aware of these common PHI types that they may come across so that they can de-identify and safeguard them to maintain HIPAA compliance.

RSI Security has helped healthcare organizations and their strategic partners steer clear of HIPAA enforcement for over a decade.

We believe that discipline up-front unlocks greater freedom to grow down the road, and we’ll help you rethink and optimize your compliance.

To learn more about protected health information and HIPAA, contact RSI Security today!

Download Our HIPAA Checklist