Cyber threats evolve rapidly as new technologies emerge. There’s a growing threat to privacy and data on the internet globally. Therefore, the need for businesses to protect their personal information and that of others in their custody is crucial for business continuity.
Over the years, healthcare tech has grown massively, bringing new threats against patient data privacy and protection. All healthcare providers and health tech manufacturers must do all that’s within their power to protect their patients' personal information from cybercriminals. One of the ways they can achieve this is through a Business Associate Agreement (BAA).
The continuous growth of healthcare technology and a higher level of interoperability between healthcare systems has brought about the need for Health Insurance Portability, and Accountability Act (HIPAA) covered entities to form partnerships with other third parties that handle Protected Health Information (PHI) to ensure compliance, security, and privacy of their data assets. This partnership is covered under a Business Associate Agreement.
This article discusses BAAs and who HIPAA business associates (third parties) are. We also take a quick jab at some of the common covered entity BAA failures?
A Business Associate Agreement (BAA) is a written contract that stipulates each entity’s responsibilities regarding Protected Health Information (PHI). HIPAA requires covered entities to only work with business associates who assure complete protection of PHI. The agreement must be written between the covered entity and the business associate.
The written statement of the contract should specify that the business associate must implement appropriate physical, technical, and administrative protections to ensure the availability, integrity, and confidentiality of electronic PHI (ePHI) and meet the requirements of the HIPAA Security Rule.
Not everyone qualifies as a business associate. According to the US Department of Human and Health Services, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.”
Business associates are third parties who have access to PHIs because of their relationship with HIPAA-covered entities. Staff members of health care providers covered by HIPAA are not business associates, nor is someone who may encounter patient information by chance (like an electrician or engineer). Examples of business associates are
It’s important to remember that if a business associate appoints a task to another entity, then that entity is, by proxy, considered a subcontractor business associate, and all the same rules that apply to the business associate apply to them.
Additionally, suppose PHI is accessed by unauthorized individuals or cybercriminals, such as an internal breach. In that case, the business associate must inform the covered entity of the cybercrime, and it may be necessary to send notifications to individuals with compromised PHI. The BAA must detail the responsibilities and period for notifications.
A recent report found healthcare data breaches by cyber criminals resulted in a staggering 21.3 million records stolen and exposed, and business associates were to blame. It goes beyond saying, if you’re a HIPAA-covered entity, you must know who your business associates are. And if you’re a business associate, you must learn what you need to do to protect ePHI. The cost of non-compliance on either side of the partnership can be immense.
It’s pretty common for many software vendors not to receive PHI to perform activities representing the HIPAA-covered entity. Still, these software solutions end up with access to ePHI when the covered entities use their products and systems, which means the software provider, by extension, becomes a business associate. The problem with this is that some organizations that access ePHI are none HIPAA-compliant BAA.
While it’s true that there are exceptions for some entities that act as conduits through which ePHI simply pass through, software providers and cloud services do not partake of this exemption. Hence, the requirement of a business associate agreement stands.
Another common failure is many covered entities insist every contractor signs a Business Associate Agreement, even if they have no access to PHI. These covered entities are likely to take a safe approach to address their issues and execute agreements with entities they have business with, whether or not they are obliged to. A signed BAA doesn’t mean that the business or relationship is HIPAA-compliant.
The general provision or requirement is that a covered entity should obtain satisfactory assurances from its business associates. These associates will appropriately secure the protected health information they receive or create on behalf of the covered entity. All assurances must be in writing, whether in a contract or other agreements between the covered entity and its business associates. The HIPAA law requires covered entities to:
With Curogram, policies and procedures are in place to comply with HIPAA’s Privacy and Security Rule when transmitting electronically protected health information (ePHI) on behalf of your practice. You do not have to worry about non-compliance or breaches. If you want to learn more about Curogram’s HIPAA-compliant telemedicine software and how you can enter into a HIPAA-compliant business associate agreement with them, book a demo today.