If your organization is involved in the healthcare industry indirectly, such as through strategic partnerships with healthcare providers, you may be required to sign a business associate agreement. That means achieving partial or full HIPAA compliance through implementation and assessments.
Are you ready to fulfill the requirements of a HIPAA BAA? Schedule a consultation to find out!
HIPAA Business Associate Agreements 101
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to define and safeguard protected health information (PHI). It applies primarily to covered entities within the healthcare field. However, it also contractually requires business associates to safeguard PHI.
Understanding and staying compliant as a business associate requires knowing:
- What a HIPAA business associate agreement is and to whom it applies
- Which requirements fall on parties to a business associate agreement
- What can happen if a business associate agreement is broken
The big takeaway of business associate considerations under HIPAA is that the regulation applies beyond the boundaries of healthcare to many stakeholders adjacent to the industry.
What is a HIPAA Business Associate Agreement?
Put simply, business associate agreements require business associates to comply with some or all of HIPAA—or, at the very least, contribute to their covered entity partners’ HIPAA compliance.
A HIPAA business associate agreement (sometimes called a HIPAA BAA) is a contractual agreement that extends the scope of HIPAA compliance. The Department of Health and Human Services (HHS) oversees HIPAA to protect patients across the web of healthcare providers in the US, ensuring their privacy is protected by tightly regulating highly sensitive documents.
As noted above, HIPAA exists to defend PHI. The best way to understand why HIPAA applies how and to whom it does is to understand what PHI is. Namely, it’s any document (or a portion thereof) that contains personally identifiable information related to an individual’s physical or mental health conditions, treatments received, or payments conferred for health treatments.
HIPAA Covered Entities and Business Associates
Business associate contracts are made between covered entities and their business associates, requiring the latter to (at minimum) help the former meet their HIPAA requirements. As for who these parties are, the HHS has established three categories of HIPAA covered entities:
- Healthcare providers, such as hospitals, pharmacies, and doctors
- Health plan entities, such as administrators and insurance companies
- Healthcare clearinghouses that process standardized health information
Business associates are any organizations that work with these entities in a way that requires them to come into contact with PHI. There is no explicit restriction on which kinds of partners are considered business associates, but common examples include third-party administrators, accounting and legal services providers, consultants, and benefits managers working on plans.
Covered entities are the parties who produce, use, and otherwise come into contact with PHI the most. Business associates also come into contact with it regularly, so it applies to them too.
Business Associate Agreement HIPAA Requirements
HIPAA explicitly requires covered entities who work with business associates to operate under a business associate contract. The specific requirements for what it must include are sparse, so covered entities have discretion over the particular terms. The only guarantee is that the contract ensures a business associate helps the covered entity ensure HIPAA compliance.
Under a business associate contract HIPAA can essentially apply to business associates as though they are HIPAA covered entities. The practical upshot is that business associates need to prepare for HIPAA compliance just like covered entities to avoid any future complications.
Privacy Rule Requirements for Business Associates
The HIPAA Privacy Rule is the first and most fundamental part of the entire HIPAA framework. It defines both PHI and covered entities, along with their (and their business associates’) essential responsibilities with respect to safeguarding PHI. Namely, PHI needs to be made available to its subjects (persons identified within the PHI) at their request. But it also needs to be protected such that no unauthorized disclosures or uses, except for a set of permitted ones, can happen.
Some practical examples of permitted disclosures include using limited data sets for approved research or making certain information available for disease prevention or other public benefits.
See the HHS’s summary of the Privacy Rule for a comprehensive list of permitted PHI uses.
Security Rule Requirements for Business Associates
The Security Rule builds on the Privacy Rule, adding specific controls organizations need to apply to ensure the confidentiality, integrity, and availability of PHI. There are two major kinds of measures the Security Rule requires covered entities and business associates to implement.
The first prescriptive requirement is programmatic risk analysis and management, including regular risk assessments that document, address, and ideally neutralize threats to PHI.
The other prescriptive requirement is implementing three sets of safeguards:
- Administrative safeguards
-
-
- Formalizing security management processes
- Assigning security personnel and responsibilities
- Systematizing information access management
- Providing workforce training and management
- Conducting evaluations related to PHI security
-
- Physical safeguards
-
-
- Limiting and controlling access to facilities
- Limiting and controlling access to devices
-
- Technical safeguards
-
- Installing system-wide access controls
- Conducting and logging security audits
- Ensuring integrity and change management
- Securing PHI for network transmission
Originally, these protections applied only to electronic PHI (ePHI), but the HITECH Act extended its requirements to all PHI that covered entities and business associates come into contact with.
Breach Notification Requirements for Business Associates
Covered entities and business associates also need to comply with the Breach Notification Rule, which requires monitoring and communication infrastructure to be in place to report on breaches as swiftly as possible. HIPAA considers a breach to have happened if identifiable PHI is accessed without authorization in any way beyond the permitted uses and disclosures.
If a breach has occurred, the covered entity or business associate who becomes aware of it needs to provide notice to one or more parties. In particular, notice needs to be given to all pirates impacted by the breach. The secretary of the HHS must also be notified. And, if the breach impacts 500 or more people, media outlets serving their community must be notified.
If the breach is discovered by the business associate, their responsibility may be to provide these notices or to inform the covered entity proper to handle other required notices. The business associate agreement will detail all specific responsibilities related to this rule.
The Stakes of Business Associate Compliance
Unlike some other regulatory contexts, HIPAA does not require a certification assessment to affirm compliance. Instead, the HHS mandates that organizations operating in the field are HIPAA compliant, and assessments happen if a breach or other non-compliance incident occurs. If a covered entity (or business associate) is found to be in violation of HIPAA, one or both parties may be subject to HIPAA enforcement, including fines and criminal charges.
In particular, business associate contracts often distribute the liability for noncompliance issues between the business associate and covered entity, depending on the responsible party for the particular data breach or incident in question. In practice, causing a HIPAA violation might be a breach of contract, and it can open the business associate up to the HHS’s enforcement arm.
To avoid these possibilities, covered entities and business associates are encouraged to work with third-party HIPAA advisors and assessors to optimize all elements of their cyberdefenses.
Achieve and Maintain HIPAA Compliance
If your organization works directly in healthcare, or it partners with other organizations that are covered entities, you may need to comply with HIPAA—or at least help a partner comply. If that’s the case, you’ll need to ensure that your cyberdefenses meet HIPAA standards.
RSI Security has helped countless organizations in and adjacent to healthcare comply with HIPAA. We know that the right way is the only way to keep sensitive data and patients safe.
To learn more about HIPAA and business associate agreements, contact RSI Security today!