Technological innovation in healthcare continues to rise as healthcare organizations take advantage of emerging technologies to deliver their services to patients. With this push for a digital healthcare experience, the healthcare startup market has skyrocketed over the past few years. According to Rock Health, digital health venture funding had a record start in 2020, with $3.1B invested early in Q1 2020. While the global pandemic has dramatically altered everyone's lives and every sector, the innovation to combat this pandemic and shift how healthcare services are delivered has been inspiring to see.
Healthcare organizations or HIPAA (Health Insurance Portability and Accountability Act) covered entities will continue to partner with these startups and other organizations to digitally deliver their services to patients. This partnership is captured in an agreement known as business associate agreements (BAAs) between the covered entity and the organization providing functions or activities that requires access to PHI, also known as a business associate.
It is often misunderstood who is exactly considered a HIPAA business associate. For those organizations that are classified as a business associate, are they required to comply with HIPAA Security, Privacy and Breach Notification Rules? Does the covered entity or healthcare organization have any requirements to verify their compliance?
I am not a lawyer, and I am not intending to give legal advice on the HIPAA law. However, I hope this article will help you better understand business associates and their role in healthcare security. Understanding the requirements associated with being a business associate will help covered entities and business associates protect themselves from HIPAA fines.
WHAT IS A BUSINESS ASSOCIATE?
According to the U.S. Department of Health and Human Services (HHS), a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of or provide services to, a covered entity.
In simpler terms, a business associate is a vendor or subcontractor that has access to PHI. Some examples of potential business associates are:
Cloud service provider i.e. Amazon Web Services
Software companies that may be exposed to or use PHI
providers of data transmission services, portals, or other interfaces created on behalf of Covered Entities that allow patients to share their data with the Covered Entity
data storage (it does not matter if the PHI can be viewed or is encrypted
External auditors or accountants
Healthcare-related organizations such as healthcare providers, insurance companies, pharmacies, healthcare clearinghouses, or nursing homes need business associates to provide their services. Presenting a huge opportunity for those organizations that are considered business associates to engage in business with these healthcare organizations.
BUSINESS ASSOCIATE IMPACTS ON SECURITY
In the interconnected healthcare digital world, business associates present a significant risk to the confidentiality, integrity, and availability of PHI. This is why business associates are directly liable for certain requirements of the HIPAA Rules. A few examples of recent business associate HIPAA violations are listed below:
Hawaii Pacific Health experienced a breach where patient records were inappropriately accessed by a former employee of one of their partners
Surefile, a record storage firm, reported a Hacking/IT incident to the department of HHS that could have impacted close to 1 million records according to the individual reporting the breach
Interactive Medical Systems reported a Hacking/IT incident to HHS that could have impacted over 15,000 individuals
SOLO Laboratories reported a Hacking/IT incident of a network server that impacted over 60,000 individuals.
As required by section 13402(e)(4) of the HITECH Act, the HHS Secretary posts a list of covered entity and business associate breaches of unsecured protected health information affecting 500 or more individuals on their breach portal here. Business associates are important because similar to covered entities they have obligations under the HIPAA law.
OK, I AM A BUSINESS ASSOCIATE, NOW WHAT?
The HIPAA Privacy Rule allows healthcare organizations (covered entities) to disclose PHI to business associates as long as they obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule (HHS).
The satisfactory assurances must be in writing and are captured in a business associate agreement or BAA. BAA's are required to list the obligations of the business associate and what the business associate is agreeing to. A few examples of some of these obligations that are included in a BAA are:
Signing an agreement with a customer means you are now responsible to execute those obligations outlined in the agreement. Being a business associate and signing a BAA means that you are now liable for civil and criminal penalties for non-compliance with HIPAA regulations as outlined in the HIPAA Omnibus Rule and HITECH Act. HHS has published sample business associate agreement provisions to help organizations draft these contracts.
While this sounds like a hassle and a lot of work, there are benefits to being a business associate. Pricing compliance with HIPAA Rules helps you protect your customers and your data, as well as differentiates your organization from your competitors.
Beyond signing a BAA, organizations often undergo assessments to prove to third parties that they are compliance with the HIPAA Rules. Proving to covered entities or other third parties your compliance with HIPAA often requires a third-party to assess your organization to identify the administrative, physical and technical safeguards implemented and operating effectively at your organization. It is important to note that HIPAA is enforced by the Office of Civil Rights (OCR). HHS does not endorse a HIPAA certification or compliance assessment or firm. However, proving to the OCR or to customers that you have implemented the necessary safeguards to comply with the HIPAA Rules is best accomplished by being evaluated by an independent, third-party auditor.
Business associates are vital components of the healthcare ecosystem assisting healthcare providers and other covered entities to deliver their critical services to patients. Healthcare technology startups, along with other business associates and covered entities, will play a huge role in helping the world recover from COVID-19. Understanding the requirements for business associates will ensure PHI is protected and organizations are protecting themselves from breaches, reputational damage, and potential legal issues.