January 13, 2015

BAA isn't a Checkbox for HIPAA Compliance

Travis Good, MD

Co-founder & Chief Technology Officer

We get asked a lot about business associate agreements (BAAs). As you can see from the content on our blog here, here, and here, as well as our Learn entry here, we lay out the specific HIPAA rules for BAAs. We do this because BAAs are one of the most misunderstood and misinterpreted aspects of HIPAA. To be clear, BAAs are required to be signed by business associates (most of our customers) and subcontracts (business associates of a business associate). BAAs can’t be avoided, whether you cleanly fit into a bucket of customers or technologies defined by HHS (you store, transmit, and/or process PHI) or your hospital and payer customers determine you have to follow HIPAA (even if you don’t think so).

A major issue with BAAs is the perception that, as a tech vendor, signing a BAA with your “compliant” hosting provider makes you HIPAA compliant. (“Compliant” is in quotes because we’ve seen a rash of hosting providers claim HIPAA compliance when they are far from it. Presently there is no penalty for marketing yourself as HIPAA compliant—the real punishment comes financially to its customers when it’s too late.)

While HIPAA compliant is a loaded term, simply signing a BAA in no way makes you compliant. Complying with HIPAA requires many things, and signing BAAs is only one of them.

We recently had a call with members of the HHS and OCR privacy group about the absence of a clear BAA template, which results in a deluge of varying formats. The variation coupled with the practice of large “compliant” hosting providers gating their BAAs behind NDAs, makes it exceptionally hard to grasp the purpose and state of BAAs.

Large “compliant” hosting providers know all of this, and clearly outline the obligations for themselves and their customers in BAAs. We always encourage prospective customers to read BAAs from all vendors they are considering, including Catalyze, and pay very close attention to their outlined obligations. Oftentimes the obligations put on tech vendors by hosting providers are hard to meet because they require resources to configure and secure hosting environments. Therein lies the irony of the BAA as a checkbox for compliance perception; tech vendors sometimes don’t meet all their obligations in those BAAs and when that happens those BAAs aren’t even in effect, despite tech vendors paying the increased cost associated with “compliant” hosting.

We debated about our BAA approach early on at Catalyze, but eventually settled on three key points.

  1. Be fully transparent.
  2. Provide as much research- and experience-backed content as possible to create an educational dialog around BAAs.
  3. Take the interpretation and guess work out of BAAs by taking on all of the technology obligations under HIPAA other than application level security (which we don’t have insight into for our customers).

We’re proud of where we landed with our BAA, and, while simply signing a BAA with us doesn’t make you completely HIPAA compliant, it does relieve much of your technological and legal burden so you can focus on changing healthcare for the better.

tag Company BAA