Today, healthcare providers have so much electronic PHI (ePHI) data on their hands that they need to form partnerships with cloud backup and recovery solution providers in order to store and protect it all.
Healthcare providers, of course, are covered by HIPAA – and under HIPAA, when you form a partnership with another organization that handles your PHI data, that partner organization becomes a HIPAA business associate or BA and must comply with HIPAA rules as well.
As such, a business associate must sign a business associate agreement (BAA) in which the respective roles and responsibilities of both the health provider and the BA will be determined regarding the protection of PHI data.
So, in the most simple terms, a Business Associate Agreement (BAA) is an essential piece of documentation you must obtain from any data storage provider you work with to maintain your practice’s HIPAA compliance.
Naturally, however, simple terms don’t cover all the details you need to know when it comes to BAAs – and the details are extremely important.
With more healthcare providers than ever adopting cloud solutions (the market is expected to hit $55bn by 2025, from a base of $8bn in 2018), it has never been more crucial to understand your obligations for protecting patient data whilst working with external organizations.
(Image source: prnewswire.com)
For example, take the 2019 breach of 20 million patient records held by the American Medical Collection Agency (AMCA).
The AMCA acts as an external services provider for LabCorp – i.e. AMCA is a business associate of LabCorp.
However, LabCorp itself is now implicated in a derivative lawsuit despite the fact that it was its business associate AMCA that suffered the data breach. The lawsuit alleges that LabCorp’s “insufficient cybersecurity procedures and oversight of AMCA […] permitted unauthorized access to LabCorp’s patients’ confidential, personal information.”
Knowing what a BAA is, what it covers and when you need one is essential for keeping your patients’ private data safe and avoiding similar lawsuits.
Below, we delve into detail about business associate agreements.
What Is A HIPAA Business Associate?
According to guidance by the Department of Health and Human Services (HHS) a HIPAA business associate is any external vendor that has access to or “creates, receives, maintains or transmits” protected health information (PHI) on behalf a HIPAA covered entity.
A business associate can be either an individual or an organization and includes offshore companies as well as those based in the US.
Crucially, should an organization create, receive, maintain, or transmit PHI on behalf of a business associate, this business becomes a business associate subcontractor (BAS) and HIPAA requires that business associate subcontractors enter into a business associate subcontractor agreement (BASA) as well.
(Image source: totalhipaa.com)
What Is a BAA?
To process and store PHI data whilst remaining HIPAA compliant, all business associates must sign a Business Associate Agreement (BAA) when working with a HIPAA covered entity.
A BAA is a written contract between a covered entity and a business associate that covers each party’s responsibilities for safeguarding PHI.
A BAA contract should establish:
- The business associate’s reason for holding Protected Health Information (PHI) data
- How the business associate is permitted to use, process and store PHI data
- A guarantee that the business associate will not use PHI data outside of these parameters
- Appropriate safeguards to prevent data breaches
What is the purpose of a BAA?
A Business Associate Agreement (BAA) is an agreement between an organization and a third-party service provider. The purpose of the agreement is to have a signed document that specifies that any third-party service provider agrees to the following: to take responsibility for the safety of PHI, to maintain appropriate safeguards, and to comply with HIPAA requirements when they handle PHI on your behalf.
BAAs and Cloud Service Providers (CSPs)
Increasingly, healthcare providers are turning to cloud service providers (CSPs) for data storage support and cloud backup and recovery services.
HSS released detailed guidelines for practices working with CSPs back in 2016. As well as the BAA and its contents listed above, HSS recommends establishing a service level agreement (SLA) when working with CSPs to address your practice’s specific business requirements.
When working with a CSP, an SLA should cover:
- System availability and reliability
- PHI backup and recovery
- How PHI should be treated after termination of services
- Security responsibility
- Use, retention and disclosure limitations
BAAs and Encrypted Data
HSS guidelines explicitly state that you should sign a BAA with an external vendor even if they are storing encrypted PHI without access to a decryption key.
In other words, you still need a BAA regardless of whether the business associate can actually see what data they are storing.
This is because whilst encrypting electronic PHI is good practice for reducing potential exposure, it isn’t considered enough of a safeguard against data breaches on its own.
Does a BAA Guarantee HIPAA Compliant Data Storage?
As well as asking ‘What is a BAA?’ and ‘What does a BAA cover?’, it’s also important to consider the limitations of a BAA for third-party HIPAA compliance.
The most significant limitation is this – BAAs are necessary to maintain HIPAA compliance, but they do not guarantee HIPAA compliance in and of themselves.
As well as signing a BAA, business associates must follow the same stringent HIPAA rules that your practice does as a HIPAA covered entity.
Importantly, this includes complying with the three electronic PHI safeguarding categories outlined by the HIPAA Security Rule:
- Technical (transmission security, access, integrity and audit controls)
- Physical (workstation and device protection, data facility access controls)
- Administrative (data access management, staff management and training, security management, regular assessment)
Business associates must also carry out extensive risk assessments and ensure all encryption algorithms meet NIST standards.
If your vendors don’t do this, you may find your practice is just as liable as your business associate in the event of a data breach.
When you’re looking for external ePHI data storage solutions, it’s important to establish what sort of practices vendors have in place to keep your patients’ data safe.
The willingness to sign a BAA is of course imperative – but you’ll still need to conduct due diligence on potential vendors to find a genuine HIPAA compliant cloud backup solution.
Look for Specialist HIPAA Cloud Storage Solution Providers
You could sign a BAA with a generalist data backup recovery solutions provider and hope they have enough expertise to implement HIPAA processes in their organization.
For ultimate peace of mind, however, look for specialist HIPAA compliant cloud storage providers with proven track records working with ePHI data.
At Central Data Storage, we provide cloud data backup and recovery solutions specially designed around your practice’s HIPAA compliance needs.
HIPAA compliant backup is what we do day in, day out for a huge range of satisfied clients.
With our data storage solutions for business, all your backups are performed automatically and our 448-bit end-to-end encryption exceeds military grade standards.
We sign BAAs with all our clients and are approved by third-party auditors as 100% compliant with HIPAA, as well as HITECH, GDPR and State Laws.
Our solutions cover data storage services, encrypted file sharing and data backup & recovery – and with unlimited storage capacity, dual authentication and ransomware recovery, you can be sure your data is fully protected no matter what.
See how we could improve your data backup recovery plan with a free expert-led data assessment. Call 1-888-907-1227 or email firstname.lastname@example.org for more information.