HIPAA Compliance: How do Business Associate Agreements work?

When you go to the doctor for treatment, what’s to stop him/her from passing your information to a pharmaceutical company? What’s to stop the doctor from denying you access to your records if you miss a payment? What protects you from having your health information shared with the world at large? Well, if you read the title, then you know the answer to these questions. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers the above and more, protecting your individual rights with a set of governing guidelines and rigid penalties for non-compliance. But many don’t understand entirely how HIPAA protects them, or the requirements behind it. In this article, we’ll cover some of these basics but will focus on business agreements, as this is where HIPAA compliance comes into play for most organizations that are not considered Covered Entities.

Covered Entities

What is a Covered Entity? Well, if you are one, there is no question that you already know it.  Covered Entities include any organizations directly involved in patient care and with the associated health information, or who deal with health information in order to perform billing functions. Covered Entities include, as explained by HHS.gov: 

• Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Business Associate Agreements

As stated, if you are a Covered Entity, you’re probably aware of it. Training is provided as a matter of course. But for those working with these Covered Entities, the requirements are often as strict. Third-party organizations that do business with Covered Entities, and have contact with personal health information (PHI) in any way, must also familiarize themselves with HIPAA, and must also be HIPAA compliant, as they must be covered by what is termed a “business associate agreement”. In other words, in order for a Covered Entity to be compliant, those they do business with must be as well. Not only that, but any third party contracting with a business associate (and who in any way touches PHI information by association) must in turn be a business associate. Each organization is a link in a chain, and that chain is what protects personal health information from abuse or negligent handling. 

But this is the gray area – if every organization that did business with a covered entity, and in turn every organization that did business with these business associates in turn needed to be a business associate, every organization on earth would have to be HIPAA compliant. The key delineator is whether or not personal health information is accessed or handled (even in passing) by your organization. Let’s say that your organization accesses personal health information in order for your application to verify eligibility for a health plan. Your organization will need to be HIPAA compliant. But does the janitorial service that cleans your offices? In general, the answer is no. But if there is any exposure to PHI, even in the form of printouts in the wastebaskets, then yes, they would need to be, because the handling of said documents (even in the trash) would need to be done in a way that would not compromise anyone’s personal health info. That said, if there are printouts in the wastepaper baskets, the problem lies with your organization’s HIPAA compliance, not the janitorial services handling of them. 

You can also see Types of Business Associates in Software Development

Don’t Break the Chain

Therein lies the rub. HIPAA compliance best practice is essential to limit exposure as much as possible, and if applied correctly, the chain of custody should be eliminated as quickly (and safely) as possible. Best practices should be in place at every level of the organization to ensure that personal health information is kept in-house. This is because your liability does not end when the data leaves your doors. The fines for a HIPAA breach extend all the way up the chain, no matter at what point the breach occurs. Entrust PHI in your care to the wrong business associate, and your organization will still face consequences. 

This is especially true if you entrust data to an organization from overseas. While you are bound by HIPAA regulations and must be trained in the handling of such sensitive information, as yet no overseas organization has been held liable for such a breach, due to the intricacies of international law. In other words, if the breach happens outside of the US, the buck stops with you. While the fine might extend up the chain, the fewer organizations are held accountable, the more the fine you will be expected to pay. And HIPAA fines can be exorbitant. The largest fine levied was against Anthem in 2018, to the tune of 16 million dollars. More recently, a fine of 875,000$ was levied against Oklahoma State University. While not as large, this fine is certainly more than an average mid-sized business can absorb and highlights the need for extreme care. 

Trust and Experience

Having discussed the risks associated with a HIPAA breach, you can understand that the best way to insulate yourself from said risks is to look for organizations that already have the necessary experience. HIPAA compliance requires documentation of practices, employee training at all levels, and a number of legal agreements to be signed. Getting a new organization certified as compliant, and ensuring they are ready to handle the data in the prescribed manner is an expensive proposition. The organization also has to commit to fulfilling these obligations, and unless they can see future opportunities as a result, will likely expect some degree of help with those costs.

It is also important to consider hiring practices. If the organization itself is technically HIPAA compliant (ie all direct employees HIPAA trained, etc), but outsources to outside developers, liability does not end with the direct employees. This is one reason Swovo does not outsource work. In order to be truly HIPAA compliant, all personnel (outsources or not) with access to project materials must be as well. 

Swovo is HIPAA compliant, and has undergone training and compliance certification through Accountable HQ. If your website or application handles personal health information (PHI), even in passing, choosing an organization that already knows the ropes can save you a great deal of time, effort, and money. Such an organization can hit the ground running, work the requirements of HIPAA into project management planning, and ensure all developers involved are cognizant of the risks. As one such organization, Swovo stands ready to deliver the solution you need, while protecting the personal health information of your customers.