Health care companies take on a significant amount of risk when they manage patient information. They have to comply with strict federal rules, and working with those rules often means shouldering some of that regulatory burden.
The HIPAA business associate agreement (BAA) helps define what that working relationship looks like. Unfortunately, BAAs aren’t boilerplate contracts. BAA requirements vary, depending on the complexity of services, risk, and companies involved.
What’s more, it isn’t unusual for larger companies to expect startups to take on more risk than they should during contract negotiations. There’s a lot at stake when HIPAA compliance is involved, and negotiations can feel like playing hot potato with millions of dollars.
Protect your startup. Learn the fundamentals before entering the arena.
Before We Dive Into BAA, a Quick Course on HIPAA
To understand what a business associate agreement is and whether you need one to work with your customer, let’s first establish some basics about HIPAA.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that regulates the security and privacy of protected health information (PHI). Any business, from hospitals to HR solution platforms, that handles PHI in any way must be HIPAA compliant.
What is PHI?
PHI is any health information that’s tied back to an individual. For example, patient records, medical-treatment payments, and test results are all PHI. Basically, anything that combines health information with an identifier (like a name, address, Social Security number, etc.) is PHI.
Who Typically Handles PHI?
There are two types of organizations that handle PHI, as far as HIPAA is concerned: covered entities and business associates.
Covered entities are health care providers, such as clinics, pharmacies, nursing homes, clearinghouses, health insurers, and government health programs, among others.
Business associates are vendors who handle protected health information on behalf of a covered entity. For example, UltiPro, WageWorks, and Justworks are business associates because they store benefits information for other companies. Billing companies, such as Inbox Health, as well as analytics and logging platforms, such as Sumo Logic, are business associates, too.
The types of startups that fall into the business associate category might surprise you. Workplace staples Slack and Zoom put BAAs in place for health care companies that use their platforms. This allows employees to share PHI internally (Slack) and facilitates communication between covered entities and vendors (Zoom).
What is a Business Associate Agreement?
A business associate agreement is a contract between a covered entity (a health insurer or a hospital) and a business associate (a vendor).
The BAA stipulates exactly how the business associate will use and protect PHI. It also sets requirements for what needs to happen in the event of a data breach or a violation that impacts PHI.
This type of agreement opens your startup to business opportunities in the health space. Without an agreement in place, federal law limits you to only engaging with health companies in ways that don’t involve patient records and other types of PHI.
Chances are, if you want to grow upmarket by selling to companies in the health space, your startup will need a HIPAA business associate agreement at some point.
How Do You Know for Sure If Your Startup Needs a BAA?
Your startup needs a BAA if you handle PHI on behalf of another company.
But sometimes it’s not clear whether the health information you’re working with qualifies as PHI under HIPAA.
For example, a covered entity might provide you with de-identified PHI. De-identification modifies the health information to make it difficult or impossible to trace it back to the patient. The information then becomes something other than PHI and isn’t protected under HIPAA.
It’s not always easy to tell whether you’re working with properly de-identified PHI.
Take the HIPAA-approved safe harbor method, for example. It de-identifies PHI by removing all identifiers from the health information. That seems simple enough, until you look into what parts of zip codes, dates, and other details need to be removed and realize you’re in over your head.
The covered entity will know, however. It’s up to them to tell you whether you’re working with PHI and whether you are a business associate, in terms of your engagement.
What Does a HIPAA Business Associate Agreement Cover?
A BAA specifies how a business associate uses, discloses, and protects PHI. It also defines who is liable and what steps need to be taken if a breach occurs.
As a startup signing your first BAA, look for details on how you’re expected to deal with data events, such as the following:
- Making changes to PHI
- Fulfilling patient requests for access to their health information
- Handling PHI after the BAA is no longer in place
- Managing third-party PHI disclosures
The business associate agreement also defines what the startup should do in a breach scenario. Make sure the BAA is clear about your specific obligations in a breach situation, and look for anything that seems unreasonable. Here are a few things to watch out for:
- Can I meet the breach notification window? This is the amount of time you have to notify the covered entity about a breach. HIPAA requires notification within 60 days of discovering a breach, however, BAAs typically call for notification within 72 hours to a week.
- What constitutes a “security event” or breach? If the bar is set too low, you may have to tell your customer every time there’s a low-level mishap, like an isolated unsuccessful log-on or a hit on your web application firewall.
- Are the breach indemnification provisions fair? It’s not uncommon for covered entities and business associates to go back and forth on who’s liable in breach situations. The BAA should make this clear for both parties.
- What breach insurance requirements do I need to meet? These depend on the engagement.
Your Startup May Need Multiple BAAs
A BAA is specific to who you’re working with, how, and what level of risk is involved. If you plan on working with several covered entities, expect to write, negotiate, and sign a different BAA for each customer.
You might also need others to sign BAAs with you. This occurs when a startup works with a consultant or subcontracts another business to help manage PHI. This means that you might need two or more BAAs in place at once for a single engagement.
In most cases, those BAAs wouldn’t look the same as the BAA between the business associate and the covered entity. The BAAs between a business associate and contractor or consultant would be more concise and deal with only that contractor’s or consultant’s role with the PHI.
Pro tip: Don’t let consultants work from their own machines. Doing so drastically increases the scope of what’s required from a security review and BAA perspective. Instead, issue them company machines that you have control over.
How Startups Can Get Started with BAAs
To get ready for a BAA engagement, you’ll need a template, a lawyer, and an idea of how to answer your customers’ security questionnaires.
Draft a Template
The first step is writing a BAA template so you have a baseline to work from in conversations with customers. You can adapt an existing template, like this sample from HHS.
When drafting, keep in mind who your customers are and what they typically expect of you. If you’ve signed a BAA in the past, you can use that as an example for creating your template.
Don’t hire a lawyer just yet. Chances are, you’ll need to adapt your template to meet customer expectations anyway. This is particularly true when working with enterprise companies that are used to managing vendors and have more established expectations and processes.
Hire a HIPAA Professional to Review and Negotiate for You
The best time to hire a HIPAA professional is when you have your customer’s proposed BAA in front of you and are ready to negotiate. You can employ a contract lawyer or enlist help from Laika’s concierge experts to handle this part of the process for you.
Give your HIPAA professional context on the revenue cost of losing the business. That will help them (and you) come to negotiations from the perspective of what’s right for your company. It will also provide more guidance when deciding whether to agree to time- or resource-consuming BAA requirements.
For example, you might balk at the idea of giving another company the right to audit all of your business’s inner workings. However, it might make business sense to agree to a full right-to-audit clause in the BAA if this customer is worth the time and expense.
Prepare to Fill Out Security Questionnaires
You don’t need a HITRUST, third-party review, or a security framework to comply with a BAA. Instead, you will typically need to fill out a security questionnaire so a covered entity understands what measures you have in place.
The length and complexity of these questionnaires vary, depending on the companies and risk involved in the engagement. We’ve seen business associates have to fill out 60-page Word questionnaires line by line.
Laika helps startups quickly move through security questionnaires. The compliance solution platform holds all of your policies and documentation in one place for easy reference while you fill out the form. You can also speak with one of Laika’s experts for help on the tougher questions.
Make Sure You Read and Negotiate HIPAA BAAs Carefully
In trying to sell to enterprise customers, less-established startups may tend to agree to things in a BAA that aren’t ideal or may otherwise make sacrifices to win that business. It’s OK to negotiate, but keep it reasonable.
The most important thing is to make sure your responsibilities under HIPAA are clear, specific, and not overly burdensome.
For example, a covered entity might push for a strict breach notification window. Agree to it only if you’re sure it’s something you can meet if a breach occurs. Or, if you agree to a right-to-audit clause, be sure it’s clearly written and only impacts the areas of your business that are relevant for the contract.
You don’t want an interpretation to result in giving someone else the right to audit your entire business ecosystem—unless it makes business sense.