Business Associate Agreements in Software Development

It is important for the software companies, which in most cases are Business Associates that provide services to healthcare organizations (Covered Entities), to observe compliance with HIPAA regulations. For SaaS solutions, failing to maintain HIPAA compliance could cut down your potential customer base, as HIPAA-compliant organizations often require the vendors that they use to be HIPAA-compliant as well.

Given that many tech companies will, at some point, handle Protected Health Information, there will be a need to sign a Business Associate Agreement.

The Omnibus Rule, implemented in 2013, intensified the need for Business Associate Agreements (BAA) by declaring Business Associates direct.

Wondering what a Business Associate Agreement entails and what it means for your organization? Keep reading to find out!

What is a Business Associate?

Business Associates refer to persons or entities that work on behalf of a Covered Entity and come into contact with Protected Health Information.

There are two types of entities under HIPAA:

• Covered Entities (CEs)
• Business Associates (BAs)
• Business Associate Subcontractors (BASs)

Covered Entities refer to organizations that have direct contact with patients. Examples of Covered Entities include:

• Healthcare Providers, include clinics, psychologists, doctors, dentists, pharmacies, chiropractors, and nursing homes.
• Health Plans, include health insurance companies, company health plans, health maintenance organizations, and government programs involved in the payment of healthcare, such as Medicare.
• Health Care Clearinghouse refers to entities responsible for processing nonstandard health information received from another entity into standard information and vice versa.

In general, one of the easy ways to tell if you are a Business Associate of a Covered Entity is if you have access to the Protected Health Information of the Covered Entity. If you sell or license software to third parties, you would want to consider being HIPAA compliant and consider yourself a Business Associate if you wish to work with healthcare companies. If you’re a software company and software requires the processing of PHI, you have to be HIPAA compliant and consider yourself a Business Associate to Covered Entities. And finally, if you provide software services (e.g. web development) to healthcare companies or Covered Entities, you must be HIPAA compliant and consider yourself a Business Associate if you are able to access the PHI of a Covered Entity.

Business Associate Subcontractors are contractors hired by a Business Associate. Business Associate Subcontractors need to be HIPAA compliant if they have access to PHI, just like Business Associates do. Here is a great image from TotalHIPAA that explains Covered Entities, Business Associates, and Business Associate Subcontractors:

Source: TotalHIPAA

The most common activities of Business Associates and Business Associate Subcontractors include:

• Processing of claims
• Data analysis
• Quality assurance
• Administration or processing of data
• Benefit management
• Repricing
• Billing
• Practice management
• Software rendering services

Business Associate activities revolve around software services, accounting, legal services, data aggregation, accreditation, actuarial, consulting, administrative, financial, and management services. Software providers, cloud service providers, and IT vendors often fall under the Business Associates category.

Common Business Associates in Software Development

Business associates come in handy when a covered entity needs to outsource data management. Typically, in software development, you find that Business Associates are any vendors that have access to the PHI of a Covered Entity. For examples:

• Software development teams might have access to PHI through your databases or many other services. This includes third-party contractors.
• DevOps teams are likely to have access to PHI through your databases. This includes third-party contractors.
• Data analysts are likely to have access to PHI through your databases. This includes third-party contractors.
• Email providers and other messaging services might have access to PHI if you include it in emails.
• Medical Billing vendors are likely to have access to PHI in order to process bills.
• Cloud Hosting providers almost certainly have access to PHI in some way.
• Cloud Storage providers are likely to store assets that contain PHI.
• Analytics tools might need access to customer PHI in order to function.
• Telehealth providers, EHR systems, and any other software used routinely within hospital settings are very likely to have access to PHI.

Independent contractors are individuals or organizations working with Covered Entities but are not part of the CE’s workforce. Contractors will have to sign a Business Associate Agreement with the Covered Entity if they deal with any PHI on behalf of the CE.

What is a Business Associate Agreement?

Contractors and Business Associates get into a legally-binding relationship with covered entities by signing a Business Associate Agreement (BAA).

According to the U.S. Department of Health and Human Sciences (HSS), a Business Associate has to sign a Business Associate Agreement with a Covered Entity if the nature of work involves sharing Protected Health Information (PHI).

A Business Associate Agreement defines each party’s responsibilities when applying PHI safeguards to secure and protect sensitive data. This is the shared responsibility model for HIPAA compliance. Each party has to do its respective part in maintaining HIPAA compliance. Note that signing a BAA with a third party does not automatically mean their services are HIPAA compliant, but rather that they have made protections necessary to provide you with HIPAA-compliant services. For example, Amazon Web Services (AWS), the largest cloud computing service, signs BAAs with healthcare customers. This does not mean that your infrastructure is automatically HIPAA compliant. It means that AWS has given you the tools needed under your service agreement to let you create HIPAA-compliant architecture on AWS.

Provisions of Business Associate Agreements

Business Associate Agreements should meet the following HIPAA requirements:

• Determine the kind of PHI accessible by the Business Associates and the Business Associate Subcontractors.
• Mandate Business Associates to use effective safeguards to secure PHI.
• Direct Business Associates not to disclose the PHI unless when the agreement allows.
• Clearly indicate the necessary procedure in the event a data breach occurs.
• Indicate employee HIPAA training protocol. The training will ensure the safeguarding of PHI by employees from both parties.
• Include subcontractor compliance. A Business Associate Agreement should indicate the rules of compliance to be followed by a subcontractor.
• Provide detailed information regarding the termination of the agreement.
• Describe the PHI return or destruction process. The Business Associate Agreement should indicate how Business Associates and Covered Entities should destroy or return PHI upon request.

Do I Have to Sign a Business Associate Agreement?

You must sign a Business Associate Agreement if your services on behalf of a covered entity involve interaction with Protected Health Information (PHI).

Software companies, cloud providers, and software solutions looking into working with healthcare organizations should sign a Business Associate Agreement with the contracting healthcare provider. The nature of their relations will involve storing, processing, and transmitting PHI.

If you are a service provider that is considering getting into a business relationship with a Business Associate or a Covered Entity that involves access to PHI, make sure to establish HIPAA compliance before entering into a contract.

Who Do I Sign a Business Associate Agreement With?

HIPAA regulations require Covered Entities to sign a Business Associate Agreement with any hired Business Associate who comes into contact with PHI. Additionally, Business Associates that hire a third party (a Business Associate Subcontractor) that will have access to the Covered Entities PHI need to sign a Business Associate Agreement with that third party. Note the chain of signatures that occurs in this scenario. Business Associate Subcontractors sign BAAs with Business Associates, and Business Associates sign BAAs with Covered Entities. Business Associate Subcontractors do not need to sign a BAA with the Covered Entity directly.

Covered Entities should only hire Business Associates who guarantee total PHI protection. The Business Associates and Covered Entities have to write down the binding contract. A Covered Entity and a Business Associate should never give access to PHI to a third party without signing a Business Associate Agreement first.

Liability for Signing a Business Associate Agreement

A Business Associate becomes directly liable under HIPAA regulations upon signing the Business Associate Agreement. The Business Associate Agreement faces civil and criminal penalties for the usage and disclosure of PHI without the authorization of the Covered Entity.

Business Associates and Business Associate Subcontractors are liable and subject to penalties when they fail to safeguard electronic PHI (ePHI) as required by the HIPAA Security Rule.

The Covered Entities should terminate a contract with a BA if all efforts to cure the breach fail. The Covered Entity should report the issue to the Office of Civil Rights if no measure seems feasible.

Business Associates should be aware of the consequences of failing to comply with HIPAA regulations. BA may otherwise receive fines from regulators for PHI violations.

The Department of Health and Human Services, OCR, and the Department of Justice are among the organizations responsible for imposing penalties on Business Associates or Covered Entities who breach the Business Associate Agreement.

Below are the categories of HIPAA fines as defined by AccountableHQ:

• Tier 1 is the penalty given when both parties had no knowledge of the violation at hand. The penalty will cost between $100-50,000 for every violation.
• Tier 2 refers to violations backed by reasonable cause. The charges are between $1,000-50,000 per violation.
• Tier 3 penalties apply to violations that occur through willful neglect but were corrected. The standing charges are between $10,000-50,000.
• Tier 4 refers to the highest level of penalties that match the degree of violations. At this level, the violations occur through willful neglect with no efforts to amend the cure the breach. The charges are $50,000 for every violation.

Tools for Managing Business Associate Agreements

Covered Entities should consider implementing Business Associate management tools to enhance compliance and minimize possible PHI violations.

Examples of Business Associate Agreement Tools

There are many online tools and services to help you establish HIPAA compliance. Here are some of our favorite HIPAA compliance tools:

Accountable HQ

Accountable HQ, which is an all-in-one HIPAA compliance management software.

• Vendor Security Playbook by Accountable helps to monitor vendors to ensure PHI security.
• HIPAA Compliance Playbook fast tracks compliance to HIPAA regulations for companies dealing with PHI.
• Workflow Designer. The software will help your organization draft and approve Business Associate Agreement electronic workflows.

IronClad

IronClad is a modern CLM Software with a centralized Data Repository tool. The software uploads your Business Associate Agreements at scale and allows you to extract data with ease.

Business Associate Management

Business Associate Management (BAM). The cloud-based tool meets the HIPAA and HITECH document regulations and will organize all your contracts, including Business Associate Agreements.

Flatirons is a HIPAA-Compliant Business Associate

Flatirons provides custom healthcare software development services and is your trusted partner if you are looking for a reliable Business Associate to assign projects containing protected health information.

We understand that working with third parties could increase the risk of PHI violations. Flatirons guarantees 100% compliance with the Business Associate Agreement and HIPAA regulations throughout our contract.

We are a HIPAA-Compliant Business Associate ready to sign a Business Associate Agreement with your company. Contact Flatirons to discuss your HIPAA-compliant software project.