The Healthcare Insurance Portability and Accountability Act (HIPAA) is legislation that regulates the security provisions and data privacy of patient medical information. This act states that any entity that stores or processes electronic Protected Health Information (ePHI) must comply with the provisions it stipulates to protect healthcare data.
As healthcare organizations have become increasingly reliant on their technology systems, the amount of data they produce and store has grown exponentially. The higher degree of interoperability and integration that exists between various care providers and their suppliers has also increased. Due to the high level of information sharing that exists in the healthcare technology industry, HIPAA categorizes an organization as either a covered entity or business associate.
Covered Entities and Business Associates
Covered entities are primary healthcare providers such as
- Doctors
- Hospitals
- Pharmacies
- Dentists
Business associates refer to organizations or individuals that act as vendors or suppliers to a covered entity and have access to PHI. These include:
- Data processing enterprises
- Information storage organizations
- Law firms
- Software vendors
Under HIPAA, both covered entities and their business associates need to comply with the rules of the act and implement the appropriate measures to ensure they protect ePHI.
The HIPAA Privacy Rule requires that a covered entity must obtain satisfactory assurances from its business associates. It is vital that they understand the need to protect patient healthcare information. The act further states that these assurances must be in writing. Covered entities and business associates can face similar repercussions should a data breach compromise any ePHI. Entering into a formal contract may mitigate the covered entity’s risk but is also a mandatory HIPAA requirement.
What is The HIPAA Business Associate Agreement?
A business associate agreement (BAA) is a written contract that details the responsibility of the covered entity and business associate regarding the protection of personal healthcare information (PHI). The contract should state that the vendor, supplier, or partner will not use or disclose PHI other than as permitted or required by law.
Due to HIPAA’s stringent requirements and severe penalties, every healthcare provider must enter into a business associate agreement with partners, suppliers, or vendors that access, process, or store PHI. The contract must clearly state that both the covered entity and the business associate are obligated to comply with the rules and regulations of the act.
As the contract’s primary purpose is to protect both parties in the event of a data breach, the agreement must state the stipulations and obligations of each party clearly. It should define the types of personal healthcare information that the covered entity will share with the business associate. It should also detail where and how the business associate can use the PHI and what measures they need to implement to ensure the security and privacy of patient healthcare information.
What You Need to Include in Your HIPAA BAA
HIPAA details three broad categories of safeguards that every covered entity and business associate should implement to comply with the provisions of the act. Some of the elements described under each category are required, while others are addressable. Required safeguards are mandatory. Failing to comply with necessary safeguards can result in a HIPAA sanction or financial penalty. Addressable safeguards offer some flexibility. In some circumstances, an organization may not need to comply with the stated regulation, but they need to fully document the reason and present this documentation during a HIPAA audit.
The HIPAA Safeguards
Administrative
The administrative safeguards focus on elements that define an organization’s security management process. It typically includes items such as:
- Policies
- Procedures
- The maintenance of security measures that protect PHI
Cybersecurity awareness training, risk analysis, risk management, data backups, and disaster recovery plans are just some of the mandated HIPAA administrative safeguards that a business associate should be required to comply with, as part of the Business Associate Agreement.
Physical
Physical safeguards deal with measures such as facility access controls that mitigate physical security risk. A BAA would specify the physical security requirements that a business associate should comply with.
Some of the requirements that fall under this category include:
- Secure workstation access
- Physical security mechanisms for all devices
This section of the act also deals with the safe disposal of media containing ePHI. The reuse of media that previously stored patient healthcare information is also covered under this HIPAA safeguard.
Technical
The third and final category details the technical safeguards covered entities and business associates need to implement to protect ePHI.
Some of the requirements that fall under this category include:
- Unique user identification
- Emergency access procedures
- Encryption
It also details the integrity controls that organizations need to put in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.
Get Satisfactory Assurances
The HIPAA business associate agreement describes the relationship between a covered entity and its business associates. It also details how a business associate can use any PHI and is a vital instrument in ensuring HIPAA compliance.
Unlike some commercial contracts, a HIPAA business associate agreement does not automatically indemnify a covered entity against financial penalties. The onus is on the covered entity to obtain satisfactory assurances that the business associate will appropriately safeguard the covered entity’s PHI. . If the covered entity fails to get this assurance, and there is a compromise involving PHI, the covered entity may still be liable under the act.
Questions about HIPAA compliance? ? We can help. Let’s schedule a consultation.