What Is A BAA?
A Business Associates’ Agreement or “BAA” is an agreement entered by a covered entity and business associate. A covered entity (such as a healthcare provider) enters into a BAA with a business associate (vendor) when that vendor may receive access to Protected Health Information (PHI).
A covered entity is defined as any health plan, healthcare clearinghouse, or healthcare provider who electronically transmits any protected health information (PHI) in connection with transactions for which HHS has adopted standards.
A business associate (BA) is defined as an organization that may receive PHI from a covered entity. This includes healthcare vendors that work with hospitals, healthcare software, productivity software such as CRM solutions, or accounts or auditors that will have protected health information. Vendors may have their own business associates, such as cloud providers and software vendors. Learn how the HIPAA is managed under the AWS BAA.
Who Needs to Sign A BAA?
Any individual or entity that performs functions or activities on behalf of a covered entity and interacts with protected health information (PHI) is considered a business associate (BA) and must sign a BAA. Companies and organizations that work with covered entities need to sign a BAA.
Startups and software companies planning to sell into hospitals and enterprise healthcare should plan to sign a BAA with client healthcare providers, as well as any cloud providers and software solutions that will store, process, or transmit protected health information (PHI).
With many vendors comes increased complexity. For example, a hospital may have 100 software vendors that they have executed business associates’ agreements (BAAs) with. In turn, these 100 software vendors may individually have different software solutions and cloud providers that they sign BAAs with. It is up to each stakeholder to ensure they have proper agreements in place.
How Does A BAA Work with My Cloud Provider?
HHS has previously released guidelines on cloud computing and business associates. HHS states that when a cloud service provider (such as AWS and Azure) creates, receives, maintains, or transmits PHI, the cloud service provider is acting as business associate. Therefore, organizations that will be using cloud platforms and software with PHI are required to have a signed BAA in place.
BAAs provided by cloud providers defines responsibilities around HIPAA safeguards and responsibilities of the cloud provider and the cloud customer. A BAA may only cover a certain subset of cloud services, so it is important only store, process and transmit PHI on BAA covered services. HHS recommends that organizations have a Service Level Agreement (SLA) in place with cloud service providers to help address potential availability and security issues.
BAAs and The Cloud
Many cloud providers and software solutions will now sign a BAA with customers. That said, just signing a business associates’ agreement, does not automatically make an organization HIPAA compliant. Most cloud providers including Amazon Web Services (AWS) and Microsoft Azure follow a shared responsibility model for security and compliance.
Under this model, HIPAA compliance safeguards are a “shared responsibility”. Cloud providers will often manage all physical safeguards such as locking servers and restricting employee while access, while it is up to the cloud customer to handle all administrative safeguards and technical safeguards.
It is possible to utilize HIPAA compliant cloud services and still not be in compliance. Signing a BAA with a cloud provider is your first step to building a HIPAA compliance security plan. Solutions such as the Dash Cloud Automation Platform can help your team achieve HIPAA in the cloud by creating custom administrative policies and automating technical controls and monitoring. Learn how Dash can help your organization unlock the cloud for healthcare.