HIPAA Business Associates
Organizations planning to provide solutions or services to the healthcare industry are generally considered business associates and go through security procurement with healthcare providers and healthcare customers. For these teams, it is important to determine whether your organization is considered a business associate that is subject to HIPAA/HITECH regulations and become properly prepared.
Business associates (BAs) such as software providers and healthcare vendors working with healthcare providers are required to comply with HIPAA regulations in order to work with protected health information (PHI).
What Is A Business Associate (BA)?
Health and Human Services (HHS) describes a business associate in the following manner:
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity (health provider, health insurer, etc).
Examples of business associates include:
- A SaaS company or software vendor who stores, processes and/or manages protected health information (PHI).
- A consultant that provides IT services or utilizes patient data for services provided to a hospital.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
Basically, if your organization interacts with protected health information (PHI) from a health provider, health insurer, or similar covered entity (CE) your organization is considered a business associate (BA) which must comply with all HIPAA/HITECH regulations and be HIPAA compliant.
What Is a Business Associates Agreement (BAA)?
A Business Associates Agreement (BAA) is an agreement entered by a covered entity and business associate. A covered entity (such as a healthcare provider) enters into a BAA with a business associate (vendor) when that vendor may receive access to Protected Health Information (PHI).
A BAA provided by a cloud provider defines responsibilities around HIPAA safeguards and responsibilities for the cloud provider and the cloud customer. A BAA may only cover a certain subset of cloud services, so it is important to only store, process and transmit PHI on BAA covered services.
How Do Business Associates Become HIPAA Compliant?
Business associates can become HIPAA compliant by implementing all administrative, technical, and physical safeguards required by HIPAA. Business associates and healthcare vendors may consider taking the following steps to build a HIPAA security program:
Sign BAA Agreements –
Business associates should sign a business associates agreement (BAA) with all cloud services and vendors that will store, process or manage protected health information (PHI). Organizations should sign a BAA with their cloud provider and any other IT service where they will store or process PHI. Please note: This BAA outlines HIPAA compliance responsibilities but does not automatically make your organization or solution HIPAA compliant.
Create Administrative Policies –
Business associates should create a set of HIPAA administrative policies. Policies should be written in plain-English and provide a framework for the managing HIPAA security program within the company. Policies should cover administrative safeguards and topics including:
- Compliance Roles
- Risk Assessments
- Incident Response
- Disaster Recovery and Backup
Implement Technical Safeguards –
After implementing administrative policies and procedures, business associates must implement technical security safeguards across their IT infrastructure. Technical controls must be implemented for all cloud services that will interact with protected health information (PHI) and should include the following safeguards:
- Encryption (at-rest and in-transit)
- Audit Logging
- Access Control
- Firewall/Networking Protections
While cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure provide many services and settings security configuration that can be used for implementing HIPAA technical controls, it is still your organization’s responsibility to ensure each resource has proper security configuration (IE. Each server using encrypted volumes/disks, networking and ports restricted, etc)
Next Steps For HIPAA Compliance
To become HIPAA compliant, organizations must implement all necessary HIPAA administrative, technical and physical safeguards. Since there is no official HIPAA certification, teams must continue to maintain security controls and HIPAA safeguards in order to stay compliant.
Teams should develop a HIPAA security program with administrative policies based around their organization and technologies and technical security controls implemented across their IT infrastructure and cloud services.
Download our free HIPAA Compliance Plan to learn about the steps business associates should take to become HIPAA compliant.