In the United States, as more SaaS companies look to expand their services to the healthcare industry they will need to become compliant with HIPAA. This means there will be a BAA required for every tech business that wants to close deals with healthcare service providers as defined under HIPAA rules. Historically, any kind of software update to a healthcare provider’s systems could take years to implement. With the advances in software development and delivery models, covered entities can now update legacy systems and deploy new tools in record time. To ensure PHI’s safety and security, HIPAA’s privacy and omnibus rules require a BAA to be in place.
What is a HIPAA BAA?
Called a business associate contract under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate Agreement (BAA) enforces compliance with the act. BAAs transfer specific obligations from the healthcare company (defined as a covered entity in the act) to vendors, service providers, and subcontractors.
Any organization that interacts with PHI and isn’t a covered entity should sign a BAA before doing business with the healthcare company. Interactions include anyone who creates, receives, transmits, or maintains PHI. For tech companies that want to do business with covered entities, you’ll want to ensure you understand the following four key elements of BAAs.
Why Tech and SaaS Companies Need to Sign BAAs
What is PHI?
HIPPA’s main intent is to ensure covered entities manage Protected Health Information (PHI) responsibly. Any company that provides a service involved with managing PHI needs a BAA in place before starting operations.
BAAs transfer specific duties and mitigates risks associated with unintended disclosure of PHI from the covered entity to the associated organization. A violation of the HIPAA regulations could lead to fines and other penalties under the act.
Is a HIPAA BAA a Legally Binding Agreement?
Violations under HIPAA fall into four different tiers. According to the act, penalties depend on the level of misconduct a company is guilty of and how well it responded once it became aware of the violation. Once you’ve signed the BAA, you are responsible for the related risks and need to follow all the terms of the contract, which are legally binding.
The four tiers include:
- Tier one – Applies to organizations who abided by the HIPAA rules but were unaware of (or couldn’t realistically avoid) a violation.
- Tier two – Violations that an entity should have been aware of but couldn’t realistically avoid committing using the reasonable care principle.
- Tier three – Organizations found to be willfully negligent of one of the HIPAA rules but did attempt to correct the violation once discovered.
- Tier four – If the organization neglected the HIPAA regulations and didn’t attempt to correct the violation once it became aware of the issue.
Are BAAs Required for Companies that Don’t Handle PHI Explicitly?
The latest update to the HIPAA rules made under the Health Information Technology for Economic and Clinical Health (HITECH) Act includes new provisions for business associates. Due to the additional risks involved, some healthcare organizations may require a BAA even if there is no PHI directly involved in the service provided.
The new rules focus on securing the entire environment while preventing willful neglect of the HIPAA regulations. The only way for covered entities to ensure compliance is to make BAAs mandatory for all service providers, requiring companies to implement elevated controls while indemnifying them from liability in the event of a breach. Even if the company doesn’t interact directly with PHI, a cyberattack may still lead to a breach, and therefore, BAAs are the only way to protect sensitive data and mitigate risks. Entities in a Business Associate Agreement must also abide by the Privacy, Security, and Omnibus rules. Learn more on how these three rules impact what is required by tech vendors in HIPAA BAAs in our blog.
How Does HIPAA and HITRUST Certification Integrate
Although the Health Information Trust Alliance (HITRUST) isn’t a framework, it does provide certification for covered entities and the protection of PHI. SaaS and tech companies who maintain this certification will immediately receive more consideration when bidding on projects from covered entities.
HITRUST aims to inform the wider healthcare community about the risks of data breaches and how organizations can build a robust security policy that addresses these concerns. The recognized security practices included in HITRUST’s guides will help you define the necessary security controls required to ensure you comply with a BAA.
Establishing HIPAA Compliance as a Service with Carbide
To ensure compliance with HIPAA and all the related rules, Carbide helps organizations to fast-track their information security and privacy programs. With the healthcare sector’s growth potential, established companies and startups can improve their service offerings by quickly creating and implementing new data protection and security policies.
Carbide also provides additional guidance about your compliance requirements, helping your team through your new policies’ process and implementation stages. Starting with a gap analysis, you’ll learn where you aren’t currently achieving your compliance targets and how to implement a more secure SaaS solution effectively.
The Health and Human Services (HHS) agency is ramping up the penalties that apply to business associates and covered entities for not complying with HIPAA. Using Carbide’s HIPAA Compliance Fast Track program, you can generate compliant security policies in minutes, evaluate your current environment, and implement the required changes quickly. For any organization that needs to become HIPAA compliant quickly, get in touch with Carbide to discuss our latest features and capabilities. One easy thing you can do to get started now? Check out our free HIPAA compliance checklist.
Get the HIPAA Compliance Checklist for Business Associates