The U.S. Health Insurance Portability and Accountability Act, more commonly known as HIPAA, is a set of data privacy and security provisions which apply to Covered Entities (such as healthcare providers, health plans, and health clearinghouses) in order to safeguard protected health information (PHI).
The rules of HIPAA also apply to individuals or organizations who work in association with or provide services to covered entities, such as IT contractors, accountants, cloud storage services, fax service providers, and so on. Under HIPAA, such entities are known as Business Associates, or BAs for short.
In order for a covered entity and a business associate to work together, HIPAA requires that a Business Associate Agreement (BAA), also known as a Business Associate Contract, must exist between the two parties. The purpose of the BAA is to ensure the business associate will appropriately safeguard PHI in accordance with HIPAA guidelines. The BAA also serves to explicitly spell out the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.
Additionally, a BAA should spell out how a business associate will report and respond in the event of a data breach, including data breaches that are caused by a BA’s subcontractors, and include details relating to how the business associate will respond to an investigation by The Office for Civil Rights (OCR).
Signing a BAA does not guarantee HIPAA compliance
While the BAA exists to safeguard PHI, the agreement itself does not guarantee that either party is HIPAA compliant. Therefore, it is important that covered entities vet all potential business associates, in order to establish the following:
- Their awareness of HIPAA/HITECH rules
- Their risk potentials to PHI and ePHI
- Their commitment levels to the BAA
- Their risk assessment procedures for avoiding a breach
- Their breach notification commitments and timescales
- Their list of subcontractors
- Their staff training policies
A strict vetting process helps covered entities assess the possible risks of sharing PHI with a potential business partner. If a covered entity enters blindly into a BAA with a vendor without thoroughly assessing their commitments to HIPAA compliance first, they are putting their patient’s privacy as well as their own reputation at risk. This could be considered “willful neglect” by HHS, and is punishable by fines of up to $1.5 million.
In the event that a breach does occur, covered entities can receive a substantially smaller fine from the HHS, if they can provide evidence that they worked alongside the business associate, in due diligence, to minimize or fix any privacy or security weaknesses that existed prior to entering into the contract.
Put simply, any failings that a business associate makes during a relationship with a covered entity may be considered a failing on the covered entities part too.
3 questions to ask a potential business associate
While no means an extensive list, the following 3 questions should serve as a helpful starting point for covered entities looking to ascertain a prospective business associate’s commitment to HIPAA compliance.
1. How does your organization handle PHI?
Before signing a BAA, covered entities should look to establish how the prospective business associate will collect, store, process, and transfer sensitive health information. It is not enough to simply put trust in an organization without finding out how the data will be used throughout their workflows, and obtaining evidence that the necessary precautions are being taken to safeguard PHI, in accordance with HIPAA rules.
2. What is your incident detection and management process?
It is vital that covered entities seek assurances regarding a business associate’s commitment to detecting and reporting breach incidents, and the time it will take to report them. This information allows covered entities to establish whether this would leave adequate time to carry out an incident assessment report and meet any legal federal and state obligations in relation to breach response. HHS, for example, requires extensive breach notification documentation within no less than 60 days of a PHI breach.
3. Have you had any privacy or security incidents with other covered entities?
Covered entities need to know they can trust the company they are about to enter into an agreement with, and, therefore, have every right to ask about any past breach incidents which may have occurred when working with other covered entities.
Don’t leave it too late
For covered entities, a detailed vetting process is a way to quantify the risk of sharing PHI with potential business associates, before entering into a potentially lengthy contract. As stated earlier in this article, by blindly entering into an agreement with a business associate, covered entities are putting themselves and their patients at significant risk.
Crucially, covered entities need to ensure they are vetting business associates before they sign on the dotted line. By performing assessments after the BAA has been finalized, it could already be too late.
Covered entities who have concerns over existing business associates would be wise to start the vetting process sooner rather than later. This will allow adequate time to find suitable replacements to step in when current contracts expire, should the results of the assessments not be satisfactory.