The HIPAA Privacy Rule outlines the types of entities that are covered by HIPAA and entities that have to follow the HIPAA security and privacy rules. The main categories are clearinghouses, covered entities (CEs), and business associates. The further down the line the subcontractor gets from the covered entity, the more confusion there is about who really is a business associate and who needs to sign a business associate agreement.
Who is a Business Associate?
To put it very simply, a business associate is a person or organization who interacts with PHI from a covered entity or another business associate.
More specifically, in the process of providing services or technology to either a covered entity (for example, a hospital) or another business associate as a subcontractor (such as a PaaS provider like Datica), business associates handle, process, transmit, or in some way interact with electronic protected health information (ePHI) from those covered entities. With this PHI access, all business associates are required to sign what’s called a business associate agreement (BAA). The BAA is a legal contract that describes how the business associate adheres to HIPAA along with the responsibilities and risks they take on.
The BAA also typically defines the services that the business associate is providing, the type of data they are interacting with, and addresses areas around breach notifications (such as timelines), and penalties.
If I’m a Subcontracted Developer, Whose BAA do I sign?
Things got a lot more confusing when the HITECH HIPAA Omnibus Rule in 2013 expanded the simple earlier definition of business associate to include something called subcontractors. Subcontractors, like a software developer or hosting provider, are typically service or technology organizations that provide additional services to the business associates, which are providing services for the covered entities.
Think of it a chain of trust
It’s like a chain that follows the PHI from the very first link of the chain which is the covered entity. The next link would be the business associate and all of their subcontractors (also business associates) would be links that follow. Think of subcontractors as business associates of business associates. The BAA follows the direct path of the chain. So, a covered entity is not required to sign a BAA with their business associates’ subcontractors, but the business associate is.
Each party in the chain is required by regulation and by contract to protect the PHI and administer it consistently with the obligations of the covered entity at the top of the chain. So, for example, if a covered entity is a hospital and that hospital has a breach notification of 24-hours, every link (or business associate) of that chain needs to also specify 24 hour breach notification in their BAAs.
3 Common Misconceptions
We talk to development shops and vendors who get this wrong all the time. Here are three of the most common mistaken beliefs we hear:
- The vendor in question doesn’t necessarily need to be HIPAA-compliant because they aren’t storing data. Even though the vendor claimed they were not storing PHI, having data pass through their systems would still require protection under HIPAA. A BAA serves as a promise of this.
- They are HIPAA-compliant because they encrypted the data in transit and in storage. This is certainly crucial, but there is so much more to HIPAA than encrypting data. You can read about everything we do to be HIPAA-compliant in our policies. At a minimum, a vendor must encrypt data and ensure physical media meets HIPAA’s physical security requirements. As a result, that vendor would need to have a BAA signed with their hosting vendor to ensure legitimacy.
- The subcontractor doesn’t need to sign a BAA because the vendor they’re subcontracting for already has one in place with the covered entity. As of 2013, this is false. As soon as PHI passes through your system, you are also automatically considered a business associate and the vendor you subcontracted with will require a BAA from you. In fact, the latest rules state that covered entities MUST ensure they obtain satisfactory assurances from their business associates, and they must do the same with their subcontractors, and so on, no matter how far “down the chain” the information flows.
This may seem complicated, but don’t forget that the purpose of all of this is to ensure that individuals’ health information remains protected by all parties involved.