In 2016, a survey undertaken by Bomgar revealed the average company’s network is accessed by 89 different vendors every week, and worryingly, only a third knew the exact number. Regardless of industry, this is a shocking statistic, but within healthcare, such lapse controls can be disastrous.
Under the Health Insurance Portability and Accountability Act (HIPAA), any third party organization, contractor, vendor, or service provider that is able to access protected health information (PHI) in order to provide a service and / or technology to a HIPAA covered entity is known as a business associate.
If a covered entity engages a business associate to help it carry out its healthcare activities and functions, a written business associate agreement (BAA) must exist between the two parties, which establishes specifically what the business associate has been engaged to do, as well as its ongoing commitments to HIPAA compliance and data security.
The cost of not signing a BAA
BAAs are legally binding contracts specifying terms which are enforceable in court, so it is vital that they are signed (executed) by both parties in order to comply with the rules of HIPAA. Failure to obtain an up to date and valid agreement can be detrimental for both covered entities and their business associates, with the OCR distributing serious penalties for organizations that have exchanged PHI prior to a BAA being signed, or those with no BAA at all. To highlight this, last year The Center for Children’s Digestive Health (CCDH) was hit with a hefty fine of $31,000 for failing to produce a valid BAA for one of its cloud storage providers.
Exceptions to the rule
HIPAA states that BAAs are mandatory for any regular or frequent activity involving an exchange of PHI, with the exception of direct clinical care or payment for care. Other exceptions might include entities which transport or transmit PHI, but without any access or storage needs, for example couriers, the United States Postal Service, or internet and network service providers (ISPs). Such entities are able to claim ‘conduit exception’, because their access to PHI is specific and restricted.
The HHS defined the ‘conduit exception’ in January 2013 as part of the HIPAA Omnibus Final Rule, stating that “…The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services.”
Understanding the distinction between these types of entities is essential, particularly for organizations that transmit healthcare documents on a regular basis using a mobile messaging provider that claims the ‘conduit exception’, because there may otherwise be risks involved. Some vendors request that their HIPAA regulated customers select a HIPAA conduit setting inside of their messaging portal, removing the vital BAA step from the process and leaving the whole chain noncompliant.
If a business associate falls victim to a breach, and there is no BAA in place, then the covered entity could be liable for the damages and left to settle the fines. As a covered entity, it pays to be wary of vendors and business associates claiming to be a ‘conduit service’ for information, as a way of getting around having to sign a BAA. The message is simple; if a vendor won’t sign a BAA, don’t work with them.