Is a Business Associate Agreement (BAA) Enough to Protect You from HIPAA Enforcement Action?

According to HIPAA, businesses that handle EPHI (electronic personal health information) are required “to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (EPHI).”

In short, this means you MUST have a signed Business Associates Agreement (BAA) with every organization that comes into contact with EPHI data for which you are considered a “covered entity.” Managed Services providers like Connectria are one type of provider (called a “processer” in HIPAA parlance), but there are many other types as well.

Just last year, a children’s hospital was fined $31K for failure to produce a signed BAA from a provider with whom they contracted to store their records offsite. Granted, this isn’t a huge fine in comparison to the hundreds of thousands shelled out for actual data breaches. Still, the hospital probably could have found a better use for that money than paying it to the HHS (US Department of Health and Human Services). And if there had been a breach at the records storage vendor’s site, the fines could have been much steeper.

The Connectria Take

That leads us to a pretty common question and a misconception about BAAs that we think needs to be cleared up. Just because you have a BAA signed with a vendor who handles your data doesn’t necessarily mean you’re automatically in the clear if that vendor experiences a breach.

Note: While Connectria can provide advice and input on HIPAA compliance based on a careful study of the rules and regulations, you should ALWAYS consult qualified legal counsel familiar with your business model and unique situation before making any decisions that could impact your compliance.

The challenge is that while HIPAA guidelines say that an organization must establish policies and procedures, they generally stop short of detailing what those policies and procedures should be. On the one hand, this makes sense because every business and every workload is unique. The policies and procedures your business model dictates might be very different from another covered entity. On the other hand, it can leave you wondering whether you might have overlooked something vital.

HIPAA guidelines require that covered entities conduct a regular risk assessment to determine where EPHI data may be at risk. Though HHS does not say how often this risk assessment should be conducted, we recommend covered entities conduct this assessment (preferably using an external auditor) at least once a year. If you are going through rapid digital transformation, you’ll obviously need to conduct the assessment more often.

The HHS has published guidance on what to include in your assessment, which you can download here.

These guidelines suggest you consider third parties that may come into contact with your EPHI data as a potential risk, but that’s as far as they go. Our take is that if you were to be audited and your EPHI was determined to be at risk because of a third-party provider, the HHS Office of Civil Rights (the division that conducts audits and levies fines) is going to want to know what kind of due diligence you did before entrusting your EPHI data to your business associates.

Have questions about HIPAA Compliance or BAAs? Reach out to us here, or add your comments below.

Related Resources:

Article: 6 Mistakes Jeopardizing Your HIPAA Compliance

Case Study: An Advanced HIPAA/ HITECH Urgent Care Solution for the Cloud

White Paper: Supporting HIPAA/HITECH Compliance through Managed Hosting