It is widely known that HIPAA covers a vast majority of the private sector. HIPAA’s coverage ranges from healthcare providers to insurance companies, to healthcare clearinghouses as well as third parties that these entities interact with. The list is simply vast and the fact that HIPAA is primarily concerned with protecting non-electronic and electronic Protected Health Information (PHI) such as paper records and lists on the cloud makes enforcement a little challenging as disclosure can be incredibly difficult to track.
For one, there are a lot of third parties that have to hold and gain access to sensitive and protected health information. This often happens when conducting their respective functions. For example, translation or transcription services tasked to translate or type a claim into a different language or format will inevitably gain access to PHI. The same goes for legal service providers who work with health insurance companies as it may involve looking at patient data.
This doesn’t end here though. Even the third parties that perform functions for covered businesses or “covered entities”, usually hire external parties to perform several services. An auditing company carrying piles of protected health records could hire cleaning services whose workers may potentially see some of these documents. It is difficult to track the unauthorized access of PHI, especially when there’s little evidence regarding who and how much of the health record has been viewed. That is why there is a need for Business Associate Agreements.
Business Associate Agreements
Although HIPAA has a lot of enforcement tools in its arsenal, Business Associate Agreements are what binds companies to HIPAA’s Privacy Rule. So, what is it?
Simply put, a BAA is either a document in and of itself or part of a larger document that involves privacy rights. Whatever case it might be, a Business Associate Agreement section of a legal document will almost always contain clauses regarding:
- The parties or entities involved in the BAA
- Why it is necessary for these said parties to view the data
- The minimum necessary scope of what these parties have access to
- Sanctions and terms upon breaking the agreement
BAAs are often interchangeable with Business Associate Contract. It is often just a matter of how an individual prefers to call them. Down to its identity, both are legally binding methods of attaching two or more businesses towards HIPAA compliance. This makes it easier to clarify and appropriately create legal action for the violations to HIPAA’s standards and rules.
If two entities that engage in the giving and receiving of PHI experiences data breach or unauthorized access and disclosure from one of the parties, then it follows that both parties can end up being sanctioned by HIPAA. That is because of their failure to enter into a BAA, since the document clarifies boundaries and rules between these businesses.
This was a case that happened for a certain children’s healthcare provider who had to settle about $31,000 as they disclosed pertinent health information to a medical storage firm without securing an assurance of keeping them private and without securing a Business Associate Agreement. The case reportedly involved the record of more than ten thousand patients.
Once these types of information are released and seen by an individual or a group, it is nearly impossible to take back the privacy that has been violated. The identity, employment, and status of their health being revealed could already have caused damage in whichever way possible. Hence, it is very important to protect these types of information and BAAs ease the process of protecting and tracking.
Covered Entities, Business Associates, and Subcontractors
At its core, the different types of entities have to be defined to know what their roles are when it comes to a Business Associate Agreement. As the name of the contract suggests, this is a contract that largely involves business associates. In this section of the webpage, the definition and what constitutes a business associate, as well as related entities will be discussed. Its definition according to the HHS and HIPAA is that business associates are often entities that receive PHI from a covered entity, and therefore must undergo the signing of BAA.
In fact, the cornerstone principle of the Business Associate Agreement is that any new entity that will gain a certain degree of access must enter a BAA with whoever is disclosing the information. In a similar breath, third parties, establishments, and other companies that will aid business associates or covered entities that will not directly handle or gain access to PHI do not need to enter into a BAA.
So, to clarify things, what are the parties involved in a BAA and what differentiates them from one another on the basis of roles and responsibilities?
Covered entities are organizations, in
Institutions, or persons that provide goods and services that are tied to the healthcare industry. From this practice, they are able to obtain and acquire pertinent PHI to be able to function properly. These entities have the highest responsibility over the disclosure of PHI, as they are often the source of it. Often, the definition by HHS, covered entities generally refer to owners of PHI that are usually:
- Health Plans – these refer to organizations that maintain healthcare, insurance companies, and programs such as Medicare and Medicaid. So essentially, these are “individual or group plans” that shoulder the cost of healthcare.
- Healthcare Clearinghouse – these are often billing services, information systems management services, pricing and repricing establishments, community health information, and other establishments that make a business out of transferring and processing physical PHI. These establishments often convert data into different formats.
- Healthcare Providers – these are usually hospitals, clinics, doctors, and other medical and health services where individuals go to get treated and pay for said treatment.
- Other healthcare services – these often apply towards supporting services that are related to the health of other individuals which are not included in the previous categories. These can be establishments where individuals go through preventative, rehabilitative, or palliative care or other services such as counseling, assessment or even the sale of medical drugs, devices, or equipment according to a prescription.
It is important to note that disclosure of PHI between two covered entities does not need a BAA. Similarly, employees of covered entities are not considered business associates as they are directly covered by HIPAA’s Privacy Rule.
Under the Privacy rule, certain covered entities are slightly differently covered if they can fit the standards of what a hybrid entity is. According to the National Institutes of Health, a hybrid entity is if it contains “covered and noncovered” functions as part of its business operations. Covered function refers to any function of an establishment that will qualify them under a health plan, healthcare provider, or a healthcare clearinghouse. And in order to qualify, the establishment must delegate its covered function to be separated in such a way that it would appear like a separate legal entity. In which case, the Privacy Rule, including the Business Associate Agreement would have to apply similarly to the covered function of the hybrid entity.
Business associates are entities, organizations, institutions, or individuals that assists covered entities in performing functions that are pertinent to their establishment which would often involve the disclosure of PHI. These functions cover things like data analysis and other methods of processing or viewing data such as different types of reviews. Business associates are different from covered entities through the simple distinction that they handle PHI just because they are in business with a covered entity. Thus, their access to PHI constitutes the requirement that they must sign a Business Associate Agreement.
Some of the examples of business associates are practice management, accounting and auditing firms, legal services and firms, IT consultants, and other third parties often involved in the business of covered entities.
Business Associate Subcontractor
Sometimes, even business associates outsource some functions that involve the handling and access to PHI. When this is the case, they would usually reach out to subcontractors such as auditing firms, encryption companies, storage companies, and etc. Then again, the rule of thumb when dealing with whether or not these subcontractors must sign a BAA is if they would have access to any kind of PHI.
What are the contents of a Business Associate Agreement?
- Extent of how much of a PHI a business associate or a subcontractor is permitted to access
- Clauses that forbid the use and disclosure of PHI beyond the extent described above
- Mandatory setting up of safeguards to protect PHI from unauthorized use, disclosure, or breach
- A requirement to release PHI upon a patient’s requests
- Mandatory reporting of breaches once discovered
- Requiring the business associate or subcontractor to return or destroy PHI upon the termination of the Business Associate Agreement
In cases of breach…
The original clause by HIPAA is that the covered entity or the business associate must report the breach within 60 days upon discovery. However, it is possible to shorten the grace period according to what covered entities and business associates agree upon in the contract. Specifying the method and time involved in reporting breaches are commonly seen in BAAs, as well as more in-depth specifications regarding sanctions.