Business Associate Agreement

When it comes to sensitive medical data that includes patient information, privacy is everything. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare companies that handle their patients’ personal data cannot allow the public access or disclosure of personal information without individual patient consent or knowledge.

Organizations covered by HIPAA often partner with other organizations or individuals to perform business activities on their behalf, and sometimes these functions require access to personal health information. The disclosure of personal health information is allowed to a “business associate.” However, the third party can only access and use relevant personal information for the specified business purposes. Additionally, a business associate must maintain the security and privacy of patients’ personal information. 

A business associate agreement (BAA) is a way for organizations to protect themselves from improper access and disclosure by third parties. While BAAs address the issue of data privacy through a legal lens, they are no substitute for robust data privacy protection measures. Even if business associates were to always behave in good faith, they still represent a potential point of vulnerability and access for malicious actors seeking to access patient data. 

The Specifics of Business Associate Agreements (BAAs)

Due to legal and compliance issues, organizations covered by HIPAA often enter into formal written agreements with business associates that have access to personal health information. The 2013 HIPAA Omnibus Rule provides guidance on what should be included in these agreements. The rule states that a covered organization must receive concrete, written assurance from its associate pertaining to the safeguarding of any protected information that it receives or creates for the covered organization. 

In other words, third parties must promise to do their best to keep confidential information confidential. While they should have technological data protection measures in place, the BAA provides an additional, legal layer of protection, albeit a thin one. Without foundational data privacy safeguards in place — such as what the TripleBlind Solution offers — they leave themselves open to data breaches. 

A business associate agreement must outline the permitted uses of personal information. It must also explicitly state that the business associate will not use or disclose the protected information beyond what is outlined in the written agreement. If the business associate violates the written agreement, the covered organization must take reasonable steps to address any HIPAA violations. If the covered entity cannot successfully address any violations, it must terminate the agreement and report all violations to government authorities.

Both the covered organization and the business associate benefit from entering into a comprehensive written agreement. This measure helps all involved parties understand expectations related to the transfer, storage, and use of personal health information. HIPAA business associate agreements also support compliance and serve as proof for government inspectors that the appropriate steps were taken to ensure the proper use and protection of personal health information. However, having only a BAA as a way to protect private data presents a substantial risk. Without additional safeguards in place, the agreements rely heavily on trust: trust that the partner will not engage in nefarious activity or otherwise misuse, misplace, or unintentionally compromise the privacy and security of sensitive information through negligence. Again, BAAs should not be the only privacy protection measure in place. Breaches of sensitive data are irreversible, meaning there are no remedies after the fact, other than stopping the continued leakage.

When Business Associates Violate HIPAA

Business associates that violate a written agreement have more to worry about than just business-related consequences. These third-party organizations can also be held liable for the exposure of personal health information under HIPAA regulations if they do not remain BAA compliant.

According to the Department of Health and Human Services, business associates can be held liable for a number of HIPAA violations, including:

• Improperly using or disclosing personal health information
• Not meeting the requirements outlined by the 2013 HHS Omnibus rule
• Not being able to provide compliance-related records and reports upon request from government regulators
• Retaliating against individuals or organizations for registering a HIPAA complaint
• Retaliating against individuals or organizations for participating in a compliance investigation or enforcement action.
• Not notifying a covered organization or another business associate of a data breach or misuse
• Failing to provide a copy of an individual’s personal health information upon request
• Not limiting the use or access of personal information to the purposes for which it was provided
• Not entering into or complying with business associate agreements for subcontractors or additional third parties that receive or create personal health information
• Failing to take reasonable action in the event of a data breach or subcontractor’s violation of a business associate agreement

The Risk of Relying on BAAs

The primary issues with BAAs are that they only provide post facto mechanisms for punishing bad actors and BAAs are complex, onerous and expensive to put into place.

There are two situations in which a BAA would fail. The first would be negligence on the part of the third party. The second is when the monetary benefit of breaking a BAA is far greater than the potential penalties.

Given the limitations, businesses must invest resources in scrutinizing third parties before entering into an agreement with them. The level of scrutiny an organization places on a third party should be dictated by the type and amount of data it will be handling. Patient files are more sensitive than summary statistics about workforce demographics or app usage data. 

Any business that uses BAAs should also conduct annual reviews of existing business associates. Often, annual reviews are part of a HIPAA BAA checklist that is used in tandem with the company’s procurement cycle. This forces vendors to participate in a reassessment before their fees are paid.

Companies often have to contract a neutral third party that conducts the assessment of business associates. Attorneys that specialize in HIPAA and business associate agreements are best positioned to conduct these assessments, and their services can be costly. 

Back Up BAAs with Superior Data Protection

There is a lot of uncertainty when it comes to handling sensitive personal information. Fortunately, next-generation privacy technology from TripleBlind can eliminate much of this uncertainty by optimizing your organization’s protection for data in use. 

While BAAs are an integral piece of the data privacy pie, our trusted cutting-edge solution facilitates better privacy and security for organizations around the world, helping our clients put their sensitive data to use. When it comes to working with business associates, TripleBlind allows health organizations to make their data accessible while also ensuring that it remains protected at every step, enforcing BAA compliance through technology, not trust. 

TripleBlind preserves privacy and enforces compliance through its software-only API-based solution. The company’s innovations build on well-understood principles like federated learning and multi-party compute, to radically improve the practical use of privacy preserving technologies and privacy with HIPAA. Plus, the TripleBlind solution offers auditable digital rights, allowing healthcare and life sciences organizations to set how data may be used by a counterparty. That ensures that patient data is used by business associates in approved ways only. Our technology also compared favorably to several other privacy-enhancing computation methods, including homomorphic encryption, synthetic data, federated learning, and differential privacy. 

Please contact us to set up a demo and learn more about our revolutionary technology.