The current COVID-19 epidemic has a lot of healthcare providers turning to telemedicine to treat their patients. With the continued growth of telemedicine and more data being shared between provider systems, HIPAA-covered entities will need to ensure that the other organizations they work with will protect the security of their data and patient information.
The agreements made for such partnerships are known as business associate agreements (BAAs). But what exactly is a BAA? Who is considered a business associate? Who needs to have a BAA in place to be HIPAA compliant? What happens if there is a breach?
BAAs are a vital piece of the healthcare security system, and there are few critical things you must know before putting one in place.
The particulars of BAAs
A BAA is a document mandated by the HIPAA Security Rule, which “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
A BAA includes information about both permissible and impermissible uses of protected health information (PHI) between the provider and the business associate. It clearly specifies each party’s responsibilities when it comes to PHI, and states that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Covered entities that must sign BAAs with business associates include but are not limited to
- Health insurance companies
- Nursing homes
What is a business associate?
Under the current law, the HIPAA Privacy Rule applies only to covered entities like those mentioned above. However, a majority of those providers and health plans don’t conduct all their health care activities and functions on their own. Instead, they often use the services of other people or businesses — these are considered “business associates.”
According to the Department of Health and Human Services, a business associate is
a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
For example, if you’re a healthcare provider who is using Zoom to conduct telehealth services, you need to have a signed BAA with Zoom — the business associate — in order to transmit PHI and be HIPAA compliant. Other examples of business associates include
- A third-party administrator who conducts claims processing for a health plan
- An independent transcriptionist who helps a physician with transcription services
- The benefits manager of a pharmacy who manages the pharmacist network of a health plan
What if a BAA is breached?
The purpose of a BAA is to protect organizations from liability in the event of a breach. If one of the two parties is responsible for a breach of PHI, then the BAA should clearly hold that party responsible. Not having a BAA can cost your organization not just your reputation and the trust of your patients but also a lot of money.
In 2017, the Center for Children’s Digestive Health was fined $31,000 for neglecting to have a BAA with patient information storage provider FileFax Inc. when the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax’s satisfactory assurance.”
But that’s small change compared to North Memorial Health Care of Minnesota, which paid approximately $1.5 million in HIPAA settlement fines after it failed to identify its business associates. The hospital didn’t identify Accretive Health as a business associate, and an Accretive employee’s laptop was stolen, disclosing PHI for thousands of North Memorial clients. Because there was no agreement, the hospital was held liable for the breach.
Moving forward with BAAs
Because a BAA is a legally binding agreement, it’s prudent to reach out to a third party knowledgeable about BAAs and healthcare IT/security to ensure that your agreement is thorough. A good BAA will protect both parties in the case of a breach, and it’s worth investing in a lawyer who can ensure proper language is included.
The goal is to ensure not only HIPAA compliance but also the security of your patient’s PHI — and their trust in you and your organization.