HIPAA Basics I: What is a BAA and Why is it Required to be HIPAA Compliant?
By Gil Vidals, , HIPAA Blog, Resources, Security

Essential knowledge for the healthcare company or developer that’s just starting out.

While there’s been a dramatic increase in healthcare websites and application providers who handle protected health information (PHI), a top-notch web hosting specialist with fully managed security services – especially one who’s able to offer a Business Associates Agreement (BAA) for HIPAA – isn’t always easy to find.

Good news! You need look no further.

But what should you know regarding the BAA? The following is essential knowledge, whether you’re a healthcare company or a developer that’s new to PHI. (Note: For a refresher on what qualifies as protected health information, see our previous article).

What is a BAA?

BAAs apply to two categories of entities that handle protected health information:

  • The “covered entity” includes a healthcare provider, health plan, or clearinghouse.
  • The “business associate” is a subcontractor that “creates, receives, maintains, or transmits protected health information on behalf of the covered entity,” or for another business associate.

If you’re one of these entities, the HIPAA Privacy Rule requires you to secure a signed, written agreement before proceeding to share that data. 

This contract, known as a Business Associate Agreement (BAA), outlines the responsibilities that each party has in managing the PHI or EHR data. Essentially the BAA states that both parties will appropriately safeguard the protected health information being handled, and keep unauthorized users from accessing that PHI data.

Note: A HIPAA cloud service provider (CSP) like HIPAA Vault fits into the category of a business associate. We provide a BAA to anyone who contracts with us to use our solutions – our pledge to protect your data and maintain privacy.

If you’re a healthcare software developer who handles PHI, you’re also a business associate. In fact, any of the following can be business associates:

  • Medical billing services
  • Marketing companies
  • IT service providers
  • Telehealth companies
  • Cloud storage providers
  • EHR providers
  • Accountants
  • Attorneys
  • Shredding services
  • etc.

But Isn’t a BAA Provided by All Web Hosters?

Software development companies looking to host their health-related website in the cloud (instead of on their physical servers) soon discover that not all web hosting companies are willing to enter into a Business Associate Agreement. The reason for this is clear: not all have the expertise and infrastructure for hosting HIPAA data.

In addition, some hosting companies that do offer a BAA will leave significant, technical configurations up to you – the user – to complete.

Take Amazon Web Services (AWS), for example. Although AWS now states that it is “HIPAA compliant” and will sign a BAA, misconfigurations of Amazon S3 (simple storage service) buckets and frequent errors in granting permissions (or authenticating users) to have access to those buckets have resulted in serious consequences. On numerous occasions health data has been left unprotected and wide open to hackers, leading to serious HIPAA violations.

In addition, the customer service piece from such providers is often lacking. They’ll provide sub-optimal technical responsiveness which can negatively impact your ability to keep your site up, and health data available.

Understand, good technical responsiveness isn’t just a nice perk. A CSP that will act as an extension of your team is essential in an industry that now considers cybersecurity vital to patient safety. As a health provider, you must be able to pick up the phone and get a resolution to an issue asap, so that medical data remains available for treatments. That’s part of our commitment to you when you receive our BAA.

Download Now!

What Does a BAA Actually Include?

The BAA is essentially structured around delineating what each of the parties is responsible to do. The hosting provider will typically handle the technical safeguards to ensure PHI data is secure, while a software application publisher (for example) would be responsible for creating and managing the website. Their code must adhere to security standards and the developers must agree to keep the data secure at all times.

Like any good agreement, the BAA will include a glossary of important terms. This is helpful, ensuring that both parties can understand the terminology. Here are some key terms you’ll typically see:

  • Protected Health Information (PHI)
  • Data Aggregation
  • Designated Record Set
  • Electronic Health Record
  • Health Care Operations
  • HITECH Act
  • Privacy Rule
  • Required By Law
  • Secretary
  • Security Rule
  • Subject Matter
  • Unsecured Protected Health Information
  • etc.

The primary aim of the BAA then is to ensure that both parties are fully aware of their shared responsibilities in managing the PHI data. Mutual responsibilities include each business associate notifying the other if they notice any suspicious activity or a breach in security.

Additionally, the BAA will clarify: Who is responsible for encrypting the PHI data? What access rights to the PHI does each party have? What PHI data can be disclosed by each party to others? 

Another important matter the BAA should address is the term and duration of the agreement. Is it clear when the agreement will end? What is the disposition of the PHI after the term is completed?

After signing the agreement, neither company should be able to claim they were ignorant of their responsibilities, or shift the blame onto the other party.

Finally, defining the jurisdiction and which locale will handle disagreements or disputes between the business associates is also important.

The business associate agreement doesn’t need to be daunting. You can talk to your attorney, who will charge you a hefty rate for producing a HIPAA agreement, or you can consider buying a boilerplate template from a lawyer who specializes in HIPAA and sells ready-made HIPAA agreements at a far lower price since they sell in volume online. You should always have your attorney review the boilerplate template to ensure it is tailored to meet your particular needs.

If you have any questions on the HIPAA BAA or on any of the HIPAA compliant solutions we provide, please give us a call: 760-290-3460.

HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.