The aim of the Health Insurance Portability and Accessibility Act (HIPAA) is to safeguard the privacy of sensitive medical information. The practice of medicine has changed a lot in the two decades since HIPAA’s passage, and it’s not always clear what lengths an office needs to take to avoid violation and comply with requirements.
Data breaches arising from lost or stolen devices such as laptops containing PHI are not the only cause for recently harsh fines, accelerating both in rate and severity, now examples are being set for should-have-known-better vulnerabilities. In 2017, one organization was fined – not for exposing protected patient information, but for not having a Business Associates Agreement (BAA) in place with its technology vendor.
These questions will help you determine whether or not a BAA is needed for the third-party services and technology used by your office.
Does this service or technology vendor store, transmit, or process protected health information (PHI)?
HIPAA’s provisions for using, disclosing, and safeguarding individually identifiable health information apply to covered entities—physician offices, hospitals, health insurers and other healthcare companies—that have access to patients’ protected health information (PHI). They also apply to business associates, such as IT and cloud service providers, that store, transmit, or process PHI on these covered entities’ behalf.
In addition to storing, and transmitting data, business associate functions and activities include: claims processing/administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; and practice management. Business associate services include legal, actuarial, accounting, consulting, data aggregation, management, administration, and accreditation.
Does this service or technology vendor’s use of PHI fall within the scope of HIPAA requirements?
The law regulates PHI use and dissemination in four general areas:
- Privacy, including patient confidentiality
- Security, including physical, technological, and administrative safeguards for protecting information
- Identifiers—information that cannot be released if collected for research purposes
- Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments
The BAA requirement applies to any third-party service provider that is able to access your practice’s PHI. These include:
- Any software provider whose tech support staff connect to your computers to troubleshoot issues (which gives its tech support access to PHI).
- Businesses that access your practice management database and use data to send patient reminders or other patient communications, or to provide you with performance statistics.
- Patient benefits programs.
- Wireless networks, internet service providers, backup storage providers, and email providers—if email is hosted externally and email contains any PHI.
Can this vendor or service provider comply with these requirements under a BAA?
The BAA contract spells out how the business associate can handle the covered entity’s PHI and stipulates what each party will do to adhere to HIPAA’s provisions. Once the BAA is in place, covered entities can use the business associate’s services.
Many cloud vendors have taken steps to accommodate healthcare’s unique security needs and to increase support for business associate agreements (BAA), and third-party privacy and security assessments. Some file hosting services, for example, are HIPAA-compliant for users who register for business accounts and sign a BAA.
If you’re considering new or additional practice management software, ask the vendor to provide information about other BAAs it has and how it uses and safeguards PHI.
BAAs aren’t a diabolical bureaucratic ploy to waste your time—they protect you and your practice by ensuring your vendors are protecting and handling sensitive patient information with the care it requires.
Sources:
- S. Department of Health and Human Services/HHS.gov, “What is the intersection of the HIPAA right of access and the HITECH Act’s Medicare and Medicaid Electronic Health Record Incentive Program’s “View, Download, and Transmit” provisions?” https://www.hhs.gov/hipaa/for-professionals/faq/2057/what-is-the-intersection-of-the-hipaa-right/index.html
- Microsoft Trust Center website, https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA
- MME Consulting, May 25, 2015, “You need a Business Associate Agreement with your IT Person (and others),” by Steve McEvoy, http://blog.mmeconsulting.com/baa/
- S. Department of Health and Human Services/HHS.gov, July 26, 2013, “Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?” https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html
- TechTarget SearchHealthIT, May 3, 2017, “Cloud in healthcare boosts storage, mobility efforts,” by Tayla Holman, http://searchhealthit.techtarget.com/feature/Cloud-in-healthcare-boosts-storage-mobility-efforts
- HITInfrastructure, November 30, 2016, “Healthcare Cloud Becomes IT Infrastructure Necessity,” by Elizabeth O’Dowd, https://hitinfrastructure.com/news/healthcare-cloud-becomes-it-infrastructure-necessity
1 thought on “BAA Compliance – 3 Definitive Questions to Determine Exposure”
Thanks for sharing