The HIPAA Business Associate Agreement outlines the responsibilities that each party has in managing the PHI or EHR data. In a web hosting scenario, typically a software development company wishes to host their health-related website in the cloud instead of on their physical servers. They contact the web host and enter into an agreement with the host that details the responsibilities that each party has with the goal in mind of keeping unauthorized users from accessing the PHI data.
Not all web hosting companies are willing to enter into a Business Associate Agreement. For example, Amazon Web Services (AWS), a popular and economical option offered by Amazon, is not a good fit for those requiring HIPAA compliant hosting because Amazon is unwilling to enter into a Business Associate Agreement in most cases. The reason for this is simple. Amazon is purely an IaaS (infrastructure as a service) company, and the BAA agreement calls for managed security services that go beyond the pure infrastructure play.
There has been a dramatic increase in health care websites and healthcare application providers who host PHI for their customers or users. This has, in turn, spawned a number of web hosting specialists that cater to the needs of those seeking HIPAA compliant hosting.
The BAA is structured around delineating what the parties are responsible for. The hosting provider is typically handling the technical safeguards to ensure PHI data is secure while the software application publisher is responsible for creating and managing the website. Their code must adhere to security standards and the developers must agree to keep the data secure at all times. The aim of the agreement is to ensure that both parties are responsible for the safety of the data.
The BAA is an important document that keeps both parties fully aware of their shared responsibilities in managing the PHI data. After signing the agreement, neither company can claim they were ignorant of their responsibilities or shift the blame onto the other party.
We’ll analyze the HIPAA BAA more closely in a future blog.