HIPAA covered entities — health care providers in the US who meet certain criteria — are responsible for protecting their clients’ information under that aptly named set of laws (think about a certain large animal that sounds similar to “HIPAA.”) We also need to make sure the people we hire to handle our information are living up to the same rules. To get that assurance, we use what is called a “Business Associate Agreement.”
HIPAA defines those people we hire to handle personally-identifying client information — e.g. billing services, online data backup services, etc. — as “Business Associates.” HIPAA states in the Administrative Simplification that we can work with such services if we “…obtain satisfactory assurances that the business associate will appropriately safeguard [personally-identifying client information.]“ That “satisfactory assurance” is required by the law to take the form of a contract called a Business Associate Agreement, or “BAA” for short. (Federal agencies may get assurances in other ways, but the rest of us don’t have that luxury.)
Nearly every Business Associate will have a BAA contract ready to go and will ask you to sign theirs. This is because they want to have control over what they agree to do.
What is a BAA?
A BAA is essentially a promise from the Business Associate that they will safeguard your data in the same ways you as a covered entity are required to do. Another important item is the assurance that the Associate will track “security incidents,” and provide audit trails, as necessary, of what’s been happening with your data. For example, Business Associates must inform you if they suffer a security breach that impacts you and/or your clients.
It can be important for you to know if a person or company counts as your Business Associate not just because it means you need a BAA with them, but also because their Business Associate status happens automatically as soon as they touch any of your protected health information. Even without the BAA in place, that third party instantly becomes covered by HIPAA as a Business Associate, and they may not even know it!
If you need a BAA with a group or person who isn’t prepared with a contract, first consider whether or not they are prepared and capable to protect your information to HIPAA standards. You’ll want to take their needs into account as well as your own. Taking on HIPAA Business Associate status is a risky legal position to be in, so be careful not to pressure anyone into it if they aren’t ready for it. If they turn out to be up to the job, see our article on free HIPAA forms for links to sample Business Associate Agreement contracts that you can use.
Who Counts As a Business Associate? My Email Provider? The Cleaning Crew?
Picture this: a mental health professional decides that she doesn’t have enough space to keep her own paper records in the office. So instead of keeping them in her own filing cabinet, she hires the office next door to keep them for her. When she needs to, she writes down a session note and then sends it next door where they add the note to the correct client’s file. When she needs to see files, she sends over a request and they bring her a copy of the files she wants to see.
The situation sounds ridiculous, but we do exactly that kind of process every time we use a cloud service in our practices. That includes writing and receiving emails, using online scheduling, doing payment online, backing up data online, and more.
We also do a similar thing when we hire an outside professional or company to do billing, accounting, or other services for us that involve handling our client information.
The common thread among all those examples is that they all use their own resources to handle our information. Very importantly, the clinician who uses these services has no control over how those resources are managed and kept secure. To use Securityland language, those services all work under their own policies and procedures, and they do not follow our policies or procedures.
In such a situation, where we don’t have control over how an outside person or group manages our information, HIPAA requires that we get assurances that they will manage the information to HIPAA standards through the execution of a Business Associate Agreement contract.
Purposeful Contact vs. Accidental or Incidental Contact
A not-totally-obvious conclusion that follows from the above perspective on Business Associates is that BAs are people or companies whose relationship to the clinical practice is specifically intended to include the handling of protected health information.
For example, at Person-Centered Tech, we commonly get asked if cleaning services are Business Associates. They have the potential to contact client information and may even manage resources that contain records (e.g. moving file cabinets around in order to clean behind and under them.) The cleaning crew’s potential contact with information is what is called “accidental or incidental.” Because of that, they are not a HIPAA Business Associate. After risk analysis, you may note that some kind of confidentiality agreement with the service is called for. However, that is a very different beast from a Business Associate Agreement.
There are a number of other edge cases where clinicians wonder if someone is their HIPAA Business Associate. Exploring them all is beyond the scope of this article, but further exploration can be found in our Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional Series. Subscribers to Person-Centered Tech Support can also ask about their own particular situations at our weekly Office Hours sessions.
What About the “Conduit Exception?”
Sometimes companies will claim that no BAA is necessary because they never hold on to your information. They sometimes state that the information is encrypted and that they don’t have the encryption keys (so they can’t read it.) Or they’ll state that they delete the information after you’re done with it. We have been asked many times at Office Hours about such companies, and it’s very rare that they are correct in asserting that no BAA is necessary in order to use them.
Most of these companies are claiming that no BAA is necessary because of the “conduit exception” to the Business Associate Rule. We won’t go into the details of it here, but you can read Rob Reinhardt’s article on the conduit exception here.
We have two concerns that arise when a company claims the conduit exception:
- They are avoiding execution of a BAA contract with you. There are some companies that claim the conduit exception, but they will still execute the contract with you if you ask for it. In that case, they are easier to trust. But a company that wants to handle your client information for you but is avoidant about entering into a BAA may not be a company you want to trust with your information.
- They don’t always understand the details of the conduit exception. We have done many vendor reviews for our support subscribers in which a company claims the conduit exception, but we easily found holes in their analysis of the rule. A common error is that the company keeps a record of when you and/or your client accessed the service. This information is protected by HIPAA, and triggers Business Associate status when a company maintains it.
We have seen even more egregious errors in analysis. Unless you already have solid, independently verified reason to trust a given company, we implore you to be wary of trusting any of their analyses that claim you can bypass HIPAA rules by working with them.
Security consulting firms that perform HIPAA security risk analyses say that clinicians frequently overlook the need for BAAs. The Office of Civil Rights’ 2016 Phase 2 audit protocol also included an analysis of whether or not practices have their BAAs in order.
Do you use any outside companies (including all your cloud services!) or professionals to perform services wherein they have access to your clients’ personally-identifying information? Do those companies or people follow your practice’s operational policies or do they follow their own? If the answer to that last question is “they follow their own,” consider acquiring a BAA with those people if you don’t already have one.