As healthcare data continues to grow and needs to be portable accessible, many organizations seek out third parties to assist with these processes. These partnerships are known as a HIPAA business associate agreement (BAA). If your organization works with partners, a BAA must be in place.
What Is a BAA?
According to the U.S. Department of Health and Human Services (HHS), any individual or entity that accesses personal health information (PHI) on your behalf is considered a business associate. When working with InfoWerks for data management solutions, we require BAAs with all our customers. What this BAA ensures is that we will handle the PHI compliantly.
BAA Exceptions
A BAA is not always necessary. HHS does define some exceptions. Some of these exceptions include:
- Disclosures by a covered entity to a healthcare provider for treatment of the individual
- PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
- Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
- With individuals or organizations that are a conduit for PHI, like the U.S. Postal Service
PHI Security
HIPAA, of course, changed how healthcare organizations and their partners treat PHI. As a healthcare organization, you must ensure that your partner will safeguard PHI. Business associates can be liable under HIPAA if there is a PHI breach.
The BAA covers specifically each parties’ obligations when it comes to PHI. The contract describes the permitted and required PHI uses for the business associate. It also states that the business associate will not disclose PHI per HIPAA rules.
Cloud Services as Business Associates
When HIPAA was first enacted, the world of ePHI wasn’t a concept. Now, most healthcare entities and their partners hold ePHI in the cloud. HHS released additional context around cloud computing in 2016.
This update defines that ePHI must be handled in the same manner as PHI. Any third parties facilitating ePHI transmission must follow the business associate rules. Further, HHS notes that organizations that only store ePHI are also HIPAA business associates. Any type of ePHI stored or maintained must be encrypted.
BAA Violation Consequences
If you don’t have a BAA with your partners, you can be heavily fined. One of the largest fines related to not having a BAA was levied against North Memorial Health Care. They did not disclose or have a BAA with a partner. The partner was the cause of a breach due to the theft of an employee’s laptop. This breach exposed the ePHI of nearly 10,000 individuals. The health care system agreed to a $1.55M settlement for this violation.
Stay Compliant, Always Have a Business Associate Agreement with Partners
When you enter into a partnership that includes PHI, always insist on a BAA before sharing any data with them. Also, ensure that your business partners require HIPAA training of their employees. Safer, more secure data should be top of mind for all your business relationships.