The HIPAA Omnibus Rule that went into effect in 2013 changed the landscape of HIPAA. It created a new name for business associate called a “subcontractor”. In much the same way a business associate processes, transmits, or stores ePHI for a covered entities, a subcontractor processes, transmits, or stores ePHI for a business associate.
It’s easier to just consider them a business associate of a business associate. And subcontractors are required to sign business associate agreements (BAAs). We get asked a lot about subcontractors and BAAs by customers and prospects.
In creating this new category of entities, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is a cloud hosting provider, like Catalyze. But there are many other types of services that could be considered subcontractors. As data and services are exposed using web services, typically APIs, there is a huge number of BLANK as a Service offerings that have cropped up. Many modern applications utilize third party APIs for features and functionality. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS or Push or email or Voice), metrics, logging, customer support, data sources, backup, and on and on. When applications use APIs, depending on the service, certain data is passed back and forth to third parties. According to the new Omnibus Rule, if ePHI data is passed to these 3rd party web services, those services are subcontractors and required to sign BAAs. Since things like IP addresses, when combined with information like a providers name, date of service, payment for healthcare service, can be considered ePHI, this gets very murky, very fast.
What we’re starting to see now, and what we should see a lot more of, are chains of BAAs from covered entity to a business associate to any number of subcontractors for that business associate. At the center is the covered entity. Branching out from there into business associates and then subcontractors, sort of like a tree. With this chain of relationships and BAAs, all entities are typically taking on some risk.
The main questions relate to responsibility and risk exposure. At the end of they day, it’s the covered entity, and likely the compliance office at the covered entity, that is going to decide what is acceptable for its business associates, and in turn what is acceptable for the subcontractors of its business associates. In the case of many compliant infrastructure providers, the BAAs they sign assume very little risk and leave much of the technical responsibility, and associated risk of a breach, on the customers that use them; we created Catalyze to provide a more sane approach to compliance, acting as more of a partner and full service compliance platform, with the associate risk that entails, to make it simpler to utilize the cloud in a compliant way.