Explaining Business Associate Agreements
If your business is exploring opportunities in the healthcare industry, chances are you will be working with health information that contains identifying details, also known as protected health information (PHI).
A business or organization is subject to the requirements of HIPAA anytime it has access to PHI. HIPAA is a law that outlines expectations for how institutions will secure PHI to protect the privacy of an individual.
The Department of Health and Human Services (HHS), which governs HIPAA, refers to the individuals or organizations that work in the healthcare space (e.g., providers, insurance companies etc.) as “covered entities”. It follows that these covered entities will develop their standard operating procedures for how PHI is managed under the guidance of HIPAA.
Businesses or individuals that are not part of the workforce of a covered entity, but are granted access to PHI, are referred to as “business associates”. Business associates are not covered entities, so HIPAA is usually not the guiding principle for how the business operates. In order to be granted access to PHI, a business associate must sign a contract with the covered entity.
This contract is called a “Business Associate Agreement” (BAA). The BAA establishes the expectations for how PHI will be managed and secured by the business associate. The eight components that must be clarified in the contract are available in detail here, but the agreement essentially outlines the way a business associate is permitted to access PHI and how it is expected to secure PHI.
Imaging a typical BAA scenario
The example from our previous blog outlines a situation where data should be de-identified. This example presents a typical situation where a BAA is necessary. In our example: ACME Research and TrueVault are Business Associates; Gotham City Department of Health is the Covered Entity.
First, assume the Gotham City Department of Health (Covered Entity) hired ACME Research (Business Associate) to conduct an epidemiological study about the prevalence of PTSD in Gotham City.
In order to be granted access to the medical records of Gotham City residents (which constitutes PHI), ACME Research must first sign a BAA with the Department of Health outlining permissions and restrictions for accessing PHI, and the steps ACME will take to secure the PHI once it has the data. The PHI that is included in the data triggers the HIPAA Security Rule, which requires that ACME institute specific administrative, physical and technical safeguards to protect the PHI.
But ACME Research is in a bit of a bind. The company scoped the expectations for the HIPAA Security Rule and quickly realized it does not have the resources to build an application that adheres to these stringent requirements. But the BAA with the Department of Health requires that ACME comply with HIPAA, which means the security expectations must be met.
Fortunately, ACME does not need identifying details to conduct their study. ACME really only requires non-identifying demographic and medical information. If the PHI was to be de-identified, the data itself becomes inert and the Security Rule no longer applies.
The team at ACME Research realizes they cannot comply with the HIPAA Security Rule on their own. The company instead strikes another bargain with TrueVault, a company that guarantees compliance with the technical and physical requirements of the Security Rule. By using TrueVault’s technology, ACME Research can adhere to the expectations for securing PHI as outlined in their BAA with the Gotham City Department of Health. By signing a second BAA with TrueVault, ACME transfers the risk that follows PHI to a company with the technical capacity to handle it.
In short, a BAA is a contract that helps business associates and covered entities build consensus on how PHI will be secured according to HIPAA.
Addressing Common Misconceptions about Business Associate Agreements
A BAA is a contract between a business associate(s) and covered entity that promises compliance with HIPAA when PHI is involved.
- A BAA is only required when access to PHI transfers hands. Access to tokenized or otherwise de-identified health information does not require a BAA.
- There is no certification for HIPAA compliance. Your company won’t receive a stamp from HHS for becoming HIPAA compliant, but adherence to HIPAA is the standard for any individual or entity with access to PHI.
- BAAs create a ‘chain of responsibility.’ Each time a BAA is signed, all liability and HIPAA requirements are passed upstream between partners. For example, when TrueVault signs a BAA with ACME, all liability and HIPAA compliance requirements are passed to TrueVault. TrueVault does not need to sign a BAA with the Department of Health, even though that was the original source of PHI, because ACME has already has signed a BAA with this covered entity.