Who Are Healthcare Business Associates?
As defined under HIPAA, a healthcare business associate is “a person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of, or provides service to, a covered entity.”
Third Party HIPAA Compliance
Organizations covered by HIPAA often partner with other organizations or individuals to perform business activities on their behalf, and sometimes these functions require access to personal health information. The disclosure of personal health information is allowed to a “business associate.” However, the third party can only access and use relevant personal information for the specified business purposes. Additionally, a business associate must maintain the security and privacy of patients’ personal information.
What Is A Business Associate Agreement?
A business associate agreement (BAA) is a way for organizations to protect themselves from improper access and disclosure by third parties. While BAAs address the issue of data privacy through a legal lens, they are no substitute for robust data privacy protection measures. Even if business associates were to always behave in good faith, they still represent a potential point of vulnerability and access for malicious actors seeking to access patient data.
The Specifics of Business Associate Agreements (BAAs)
- HIPAA Omnibus Rule & Business Associate Agreements
- Purpose of BAAs
- What happens if the BAA is violated
HIPAA Omnibus Rule Business Associate Agreement
Due to legal and compliance issues, organizations covered by HIPAA often enter into formal written agreements with business associates that have access to personal health information. The 2013 HIPAA Omnibus Rule provides guidance on what should be included in these agreements.
The rule states that a covered organization must receive concrete, written assurance from its associate pertaining to the safeguarding of any protected information that it receives or creates for the covered organization.
In other words, third parties must promise to do their best to keep confidential information confidential. While they should have technological data protection measures in place, the BAA provides an additional, legal layer of protection, albeit a thin one. Without foundational data privacy safeguards in place — such as what the TripleBlind Solution offers — they leave themselves open to data breaches.
Purpose Of Business Associate Agreement
- Outline permitted uses of personal information
- State the business associate won’t use/disclose protected information beyond agreed upon uses
Outline Permitted Uses
A business associate agreement must outline the permitted uses of personal information.
It must also explicitly state that the business associate will not use or disclose the protected information beyond what is outlined in the written agreement.
What Happens If The Business Associate Violates The Agreement?
If the business associate violates the written agreement, the covered organization must take reasonable steps to address any HIPAA violations. If the covered entity cannot successfully address any violations, it must terminate the agreement and report all violations to government authorities.
Both the covered organization and the business associate benefit from entering into a comprehensive written agreement. This measure helps all involved parties understand expectations related to the transfer, storage, and use of personal health information.
HIPAA business associate agreements also support compliance and serve as proof for government inspectors that the appropriate steps were taken to ensure the proper use and protection of personal health information.
A BAA Provides Minimal Protection
However, having only a BAA as a way to protect private data presents a substantial risk. Without additional safeguards in place, the agreements rely heavily on trust: trust that the partner will not engage in nefarious activity or otherwise misuse, misplace, or unintentionally compromise the privacy and security of sensitive information through negligence. Again, BAAs should not be the only privacy protection measure in place. Breaches of sensitive data are irreversible, meaning there are no remedies after the fact, other than stopping the continued leakage.
When Business Associates Violate HIPAA
Business associates that violate a written agreement have more to worry about than just business-related consequences. These third-party organizations can also be held liable for the exposure of personal health information under HIPAA regulations if they do not remain BAA compliant.
The Importance Of HIPAA Compliance For Business Associates
According to the Department of Health and Human Services, business associates can be held liable for a number of HIPAA violations, including:
- Improperly using or disclosing personal health information
- Not meeting the requirements outlined by the 2013 HHS Omnibus rule
- Not being able to provide compliance-related records and reports upon request from government regulators
- Retaliating against individuals or organizations for registering a HIPAA complaint
- Retaliating against individuals or organizations for participating in a compliance investigation or enforcement action.
- Not notifying a covered organization or another business associate of a data breach or misuse
- Failing to provide a copy of an individual’s personal health information upon request
- Not limiting the use or access of personal information to the purposes for which it was provided
- Not entering into or complying with business associate agreements for subcontractors or additional third parties that receive or create personal health information
- Failing to take reasonable action in the event of a data breach or subcontractor’s violation of a business associate agreement
The Risk of Relying on BAAs Alone
The primary issues with BAAs are that they only provide post facto mechanisms for punishing bad actors and BAAs are complex, onerous and expensive to put into place.
There are two situations in which a BAA would fail. The first would be negligence on the part of the third party. The second is when the monetary benefit of breaking a BAA is far greater than the potential penalties.
Given the limitations, businesses must invest resources in scrutinizing third parties before entering into an agreement with them. The level of scrutiny an organization places on a third party should be dictated by the type and amount of data it will be handling. Patient files are more sensitive than summary statistics about workforce demographics or app usage data.
Any business that uses BAAs should also conduct annual reviews of existing business associates. Often, annual reviews are part of a HIPAA BAA checklist that is used in tandem with the company’s procurement cycle. This forces vendors to participate in a reassessment before their fees are paid.
Companies often have to contract a neutral third party that conducts the assessment of business associates. Attorneys that specialize in HIPAA and business associate agreements are best positioned to conduct these assessments, and their services can be costly.
Back Up BAAs with Superior Data Protection
There is a lot of uncertainty when it comes to handling sensitive personal information. Fortunately, next-generation privacy technology from TripleBlind can eliminate much of this uncertainty by optimizing your organization’s protection for data in use.
While BAAs are an integral piece of the data privacy pie, our trusted cutting-edge solution facilitates better privacy and security for organizations around the world, helping our clients put their sensitive data to use. When it comes to working with business associates, TripleBlind allows health organizations to make their data accessible while also ensuring that it remains protected at every step, enforcing BAA compliance through technology, not trust.
TripleBlind preserves privacy and enforces compliance through its software-only API-based solution. The company’s innovations build on well-understood principles like federated learning and multi-party compute, to radically improve the practical use of privacy preserving technologies and privacy with HIPAA. Plus, the TripleBlind solution offers auditable digital rights, allowing healthcare and life sciences organizations to set how data may be used by a counter-party. That ensures that patient data is used by business associates in approved ways only. Our technology also compared favorably to several other privacy-enhancing computation methods, including homomorphic encryption, synthetic data, federated learning, and differential privacy.
Please contact us to set up a demo and learn more about our revolutionary technology.
Business Associate Agreement FAQs
As a software vendor, what do I need to do to become a HIPAA-compliant Business Associate?
HIPAA And HITECH Requires Adherence To
- The Privacy Rule, which allows patients to decide who has access to their medical records and places specific limits on how providers can access, use, or store patient health information.
- The Security Rule, which ensures that electronically transmitted patient health information is protected through appropriate administrative, physical, and technical safeguards.
- The Breach Notification Rule, which requires covered entities to send alerts upon discovery of a breach. Once a covered entity becomes aware of a breach, alerts must be sent within the next 60 days.
Third-party software vendors are included in these provisions. HIPAA-compliant Business Associate contracts must adhere to these requirements by establishing the permitted and required uses and disclosures of protected health information, implementing safeguards against unauthorized use, and reporting any use or disclosures outside of contract specifications. Here is additional information about HIPAA-compliant Business Associate Agreements.
If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?
Yes. Under HIPAA and HITECH, any covered entity (including Business Associates) must sign a Business Associate Agreement when sharing electronic protected health information (ePHI).
Is it always necessary for third party service providers to sign an agreement with a Covered Entity?
Yes. HIPAA’s Privacy Rule requires for all Covered Entities to sign Business Associate Agreements with any third-party service provider that may come in contact with PHI or ePHI. This is specified under HIPAA’s Omnibus Rule.
What are the exceptions to the requirement to sign a Business Associate Agreement?
Business Associate Agreements are not required with individuals or organizations whose functions, activities, and/or services do not involve the use or disclosure of PHI or ePHI.
How can a Covered Entity be a Business Associate for another Covered Entity?
If one HIPAA-Covered Entity hires another HIPAA-Covered Entity who “creates, receives, maintains, or transmits” PHI or ePHI in the course of performing services, then the hired HIPAA-Covered Entity becomes a Business Associate and requires a Business Associate Agreement.
How frequently should HIPAA Business Associate Agreements be renewed?
HIPAA BAAs that are “evergreen” (permanently valid) do not require renewal unless a regulatory rule change occurs. If both the Covered Entity and Business Associate agree to an “evergreen” contract, then the contract will renew automatically.
Who are Business Associate Subcontractors?
Business Associate Subcontractors create, receive, maintain, or transmit PHI or ePHI on behalf of another Business Associate. A Business Associate Subcontractor Agreement (known as a subcontractor BAA) legally binds a business associate of a covered entity and a business associate of that business associate.
Who is not considered a Business Associate/Subcontractor?
Contractors who do not handle PHI or ePHI and who work exclusively with your company, your clients, and workers hired through a business are not considered Business Associates. However, the hiring organization is liable in the event a non-Business Associate/Subcontractor breaches PHI.
What Happens If My Business Associate/Subcontractor Discloses PHI?
Business Associates are directly liable under HIPAA rules. If a Business Associate or Subcontractor discloses PHI, they will be liable to civil and potentially criminal penalties.