A business associate agreement (BAA) is a contract that you need with any third party who will have access to your protected health information (PHI).
Today, healthcare providers have so much electronic PHI (ePHI) data on their hands that they need to form partnerships with cloud data backup and recovery solution providers in order to store and protect it all. They also want an easy way to access their important information whenever needed.
Healthcare providers, of course, are covered by HIPAA – and under HIPAA, when you form a partnership with another organization that handles your PHI data, that partner organization becomes a HIPAA business associate or BA and must comply with HIPAA rules as well, meaning they need a compliant data storage solution.
As such, a business associate must sign a business associate agreement (BAA) in which the respective roles and responsibilities of both the health provider and the BA will be determined regarding the protection of PHI data.
So, in the most simple terms, a Business Associate Agreement (BAA) is an essential piece of documentation you must obtain from any data storage provider you work with to maintain your practice’s HIPAA compliance.
Naturally, however, simple terms don’t cover all the details you need to know when it comes to BAAs – and the details are extremely important for protecting your patient’s health information.
With more healthcare providers than ever adopting cloud solutions (the market is expected to hit $55bn by 2025, from a base of $8bn in 2018), it has never been more crucial to understand your obligations for protecting patient data whilst working with external organizations.
(Image source: prnewswire.com)
For example, take the 2019 breach of 20 million patient records held by the American Medical Collection Agency (AMCA).
The AMCA acts as an external services provider for LabCorp – i.e. AMCA is a business associate of LabCorp.
However, LabCorp itself is now implicated in a derivative lawsuit despite the fact that it was its business associate AMCA that suffered the data breach. The lawsuit alleges that LabCorp’s “insufficient cybersecurity procedures and oversight of AMCA […] permitted unauthorized access to LabCorp’s patients’ confidential, personal information.”
Knowing what a BAA is, what it covers and when you need one is essential for keeping your patients’ private data safe and avoiding similar lawsuits; that can harm your business reputation.
Below, we delve into detail about business associate agreements.
What Is A HIPAA Business Associate?
According to the guidance from the Department of Health and Human Services, a HIPAA business associate is any external vendor that has access to or “creates, receives, maintains or transmits” protected health information (PHI) on behalf of a covered entity under HIPAA. They are also defined as anyone who does work for an organization using PHI and is considered part of their workforce.
A business associate can be either an individual or an organization and includes offshore companies as well as those based in the United States of America.
Crucially, should an organization create, receive, maintain, or transmit PHI on behalf of a business associate, this business becomes a business associate subcontractor (BAS) and HIPAA requires that business associate subcontractors enter into a business associate subcontractor agreement (BASA) as well.
(Image source: totalhipaa.com)
What Is a BAA (Business Associate Agreement)?
To work with a HIPAA covered entity, all business associates must sign an agreement. To make sure this is done properly and on the same level as other business agreements, it should be signed by everyone who will have access to your PHI data in order to process or store said data.
This prevents any sort of misuse for purposes that would not be permitted under HIPAA law because you are working with a regulated healthcare organization.
A BAA is a written contract between a covered entity and a business associate that covers each party’s responsibilities for safeguarding sensitive patient healthcare information.
A BAA contract should establish:
- The business associate’s reason for holding Protected Health Information (PHI) data
- How the business associate is permitted to use, process and store PHI data
- A guarantee that the business associate will not use PHI data outside of these parameters
- Appropriate safeguards to prevent data breaches
What is the Purpose of a Business Associate Contract?
A Business Associate Agreement (BAA) is an agreement between an organization and a third-party service provider. The purpose of the agreement is to have a signed document that specifies that any third-party service provider agrees to the following: to take responsibility for the safety of PHI, to maintain appropriate safeguards, and to comply with HIPAA requirements when they handle PHI on your behalf.
BAAs and Cloud Service Providers (CSPs)
The Department of Health and Human Services released detailed guidelines for practices working with CSPs back in 2016. As well as the BAA and its contents listed above, The Department of HSS recommends establishing a service level agreement (SLA) when working with CSPs to address your practice’s specific business requirements.
When working with a CSP, an Service Level Agreement (SLA) should cover:
- System availability and reliability
- PHI backup and recovery
- How PHI should be treated after termination of services
- Security responsibility
- Use, retention and disclosure limitations
BAAs and Encrypted Data
HSS guidelines explicitly state that you should sign a BAA with an external vendor even if they are storing encrypted PHI without access to a decryption key.
In other words, you still need a BAA regardless of whether the business associate can actually see what data they are storing.
This is because whilst encrypting electronic PHI is good practice for reducing potential exposure, it isn’t considered enough of a safeguard against data breaches on its own.
Does a BAA Guarantee HIPAA Compliant Data Storage?
As well as asking ‘What is a BAA?’ and ‘What does a BAA cover?’, it’s also important to consider the limitations of a BAA for third-party HIPAA compliance.
The Business Associate Agreement (BAA) regulates the relationship between an organization and its vendors or any third party service providers.
The most significant limitation is this – BAAs are necessary to maintain HIPAA compliance, but they do not guarantee HIPAA compliance in and of themselves.
As well as signing a BAA, business associates must follow the same stringent HIPAA rules that your practice does as a HIPAA covered entity.
Importantly, this includes complying with the three electronic PHI safeguarding categories outlined by the HIPAA Security Rule:
- Technical (transmission security, access, integrity and audit controls)
- Physical (workstation and device protection, data facility access controls)
- Administrative (data access management, staff management and training, security management, regular assessment)
Business associates must also carry out extensive risk assessments and ensure all encryption algorithms meet NIST standards.
If your vendors or service providers don’t do this, you may find your practice is just as liable as your business associate in the event of a data security breach.
When you’re looking for external ePHI data storage solutions, it’s important to establish what sort of practices vendors have in place to keep your patients’ data safe from cyber security threats and breaches.
The willingness to sign a BAA is of course imperative – but you’ll still need to conduct due diligence on potential vendors to find a genuine HIPAA compliant cloud backup solution.
Look for Specialist HIPAA Cloud Storage Solution Providers
You could sign a BAA with a generalist data backup recovery solutions provider and hope they have enough expertise to implement HIPAA processes in their organization.
For ultimate peace of mind, however, look for specialist HIPAA compliant cloud storage providers with proven track records working with ePHI data.
At Central Data Storage, we provide cloud data backup and recovery solutions specially designed around your practice’s HIPAA compliance needs.
HIPAA compliant backup through UnisonBDR is what we do day in, day out for a huge range of satisfied clients.
With UnisonBDR for business data storage, all your backups are performed automatically and our 448-bit end-to-end encryption exceeds military grade standards.
We sign BAAs with all our clients and are approved by third-party auditors as 100% compliant with HIPAA, as well as HITECH, GDPR and State Laws.
Our solution covers data storage services, encrypted file sharing and data backup & recovery – and with unlimited storage capacity, dual authentication and ransomware recovery, you can be sure your data is fully protected no matter what.
See how we could improve your data backup and recovery plan. Call 1-888-907-1227 or email firstname.lastname@example.org for more information.