For healthcare organizations, choosing the right product and service vendors is essential for achieving HIPAA compliance. One of the key prerequisites of a HIPAA-compliant vendor is the willingness to sign a Business Associate’s Agreement (BAA): a legal agreement that outlines both parties’ responsibilities and liabilities in securing protected health information (PHI).
However, despite what some healthcare organizations have been led to believe, simply signing a BAA with a vendor doesn’t guarantee your use of their product or service will be HIPAA-compliant. In reality, a BAA is just the beginning, and there are several subsequent actions both healthcare organizations and their supply chain partners must take to ensure the compliant use of PHI, especially over communications channels like email.
With this in mind, this post explores some of the reasons why signing a BAA on its own doesn’t ensure the security of PHI and protect your organization from HIPAA violations.
Business Associate Agreements (BAAs) Explained
As touched upon above, a BAA is a legally-binding document established between a covered entity (CE), i.e., healthcare organizations, and a business associate (BA), i.e, any company that handles PHI in providing a CE with products or services. For a BA to handle patient or customer data on behalf of a CE, following HIPAA regulations, there must be a BAA in place.
A BAA details:
- Each party’s roles, responsibilities, and liabilities in securing PHI.
- The permitted uses of PHI by the BA and, conversely, restrictions on any other use.
- The BA’s responsibilities in implementing appropriate administrative, technical, and physical security measures to best protect PHI.
- The BA’s obligations to report any unauthorized use, disclosure, or breach of PHI.
- That the BA is required to assist with patient rights support, i.e., data access, amendments, and accounting of disclosures, when appropriate.
- The BA’s obligations in making records available for audits or investigations.
- The CE’s right to terminate the contract if the BA fails to fulfil their obligations in safeguarding PHI.
Additionally, if a BA employs a third-party company, i.e., a subcontractor, that will have access to a CE’s PHI, they are required to establish a BAA with that company. This then makes the subcontractor a “downstream BA” of the CE, and subject to the same obligations and restrictions placed on the original BA. This ensures the security protections mandated by HIPAA flow down the entire chain of custody for sensitive patient and customer data.
Compliance Considerations After Signing a Business Associate Agreement (BAA)
Now that we’ve covered what a BAA is and the role it plays in ensuring data privacy, let’s move on to exploring some of the key things you have to do following the singing of a BAA to ensure HIPAA compliance.
1. Both Parties Must Implement HIPAA-Required Data Risk Mitigation Measures
First and foremost, while a BAA details each party’s respective responsibilities in implementing measures to protect PHI, both still actually need to implement those required security features to achieve HIPAA compliance.
The measures required under HIPAA’s Security Rule, including encryption and access control, are designed to mitigate and minimize the impact of data breaches. So, if a company suffers a security breach and later audits show the required security policies and controls were not in place, they would be subject to the consequences of HIPAA violations, including fines and reputation damage.
Also, while a BAA stipulates that the BA is responsible for implementing the HIPAA-required safeguards for the PHI under their care, it doesn’t specify exactly which security measures they must implement. Subsequently, that’s left to the BA to interpret based on their understanding of HIPAA requirements, and how they conduct their required risk assessments.
For example, if you have a BAA with your email services provider, that alone may not be enough to keep your company or organization HIPAA compliant. That’s because the provider may not have the security measures your organization needs, and instead have a carefully worded BAA that will leave you vulnerable.
Let’s say your email marketing service provider is a “semi-HIPAA compliant” provider. In these cases, they may not offer email encryption, or the necessary access control measures your organization needs to send PHI and other sensitive information safely. The so-called HIPAA compliance may be limited only to data stored at rest on their servers only.
In short, although a BAA outlines each party’s commitment to securing data, both parties still have to follow through on implementing risk mitigation measures. Additionally, though a healthcare company has its BA’s assurances that they’ll have the appropriate safeguards in place, CEs often only have limited visibility into its ongoing security posture. As a result, asking the right questions and working with a proven HIPAA compliant provider are critical steps healthcare organizations must take to ensure full compliance.
2. CEs Must Stick to “In-Scope” Services
While a BA may provide a CE with a range of services, many limit the coverage of their BAAs to particular “in-scope” services. As a result, if a healthcare organization were to use a service outside the coverage of the BAA, i.e., an “out-of-scope” service, they’d risk exposing patient data and incurring HIPAA violations.
And, even when a service is in-scope, the BA is still required to configure it properly for it to be compliant. These configurations could include:
- Enabling encryption
- Establishing access control
- Activating multi-factor authentication (MFA)
- Turning on audit logging
With this in mind, it’s crucial to ensure that the “complete” service or tool – not just a part of it – is covered by a BAA before using it to process PHI. Similarly, check the terms of your BAA for configuration or security best practices that offer guidance on fully HIPAA compliant use, and make sure your responsibilities as a CE are 100% clear.
3. Staff Must Be Trained to Securely Handle PHI
Another key reason that signing a BAA doesn’t automatically result in HIPAA compliance is the likely need for both parties to educate their staff on how to securely handle sensitive data, such as PHI.
Firstly, as discussed above, only some of the services offered by a BA may be covered by its agreement. Subsequently, a healthcare organization’s employees need to be sufficiently trained on the use and disclosure of PHI, namely, the services in which they’re permitted to process PHI and which, in contrast, services are non-compliant.
By the same token, as well as implementing the stipulated safeguards, BAs are responsible for training their workforce on how to use and, where appropriate, configure them. This will help ensure the limited, correct use and disclosure of PHI as allowed by the BAA.
4. Reporting Requirements
A BAA stipulates that a BA must notify the CE in the event of improper or unauthorized use of PHI. More specifically, this includes:
- Reporting immediately any use or disclosure not permitted by the terms of the BAA.
- Notifying the CE of security incidents resulting in the potential exposure of PHI.
However, the commitment to reporting in the BAA and the ability to deliver on that commitment are two different things entirely. Firstly, the BA must implement the policies and infrastructure that allow for timely incident reporting. This includes conducting risk analysis, implemeting continuous monitoring, and developing a robust incident response plan.
Additionally, a key aspect of prompt, comprehensive reporting includes the BA ensuring that their staff are sufficiently trained to detect and report security events. As part of their training on the secure handling of PHI, a BA’s employees must be able to recognize common security issues and threats, such as improper email configurations and phishing attempts, and how to report them.
5. Subcontractor BAAs
While CEs must sign BAAs with their BAs for the compliant use and disclosure of PHI, they don’t have to sign such agreements with any subcontractors the BA may employ. Instead, it’s the responsibility of the BA to enter into their own business associate agreements with their subcontractors. As a result, the original security obligations are passed all the way down the data’s chain of custody.
While a CE can take certain measures to enforce this, such as requesting proof of subcontractor BAAs – or even the ability to review subcontractors before beginning engagement – ultimately, they have little control over their security postures. Ultimately, this means that they have to trust that the original service BA does their due diligence in selecting security-minded subcontractors, with the right PHI safeguards in place.
HIPAA Compliance Beyond a BAA with LuxSci
LuxSci’s secure healthcare communications solutions – including HIPAA compliant email, text, marketing and forms – are designed specifically with the stringent compliance requirements of the healthcare industry in mind.
LuxSci also provides onboarding, comprehensive documentation, and support to ensure your infrastructure configurations align with HIPAA requirements, so you can confidently include PHI in your healthcare engagement communications campaigns.
Contact LuxSci today to discover more about achieving compliance beyond obtaining a BAA.
