HHS releases new ‘fact sheet’ on Business Associate liability
The agencies responsible for IT security and data privacy have a lot of flexibility over what they do and don’t choose to prosecute – regardless of what the regulations include. You don’t need to be a mind-reader to know what they’re thinking though. All you have to do is look at the statements and guidance they release.
So, when I saw that a new fact sheet had been released on Business Associate Liability under HIPAA, I took notice. If you’re a software developer creating SaaS applications for healthcare, here are some things you need to know.
First things first: What is a Business Associate? HHS defines a Business Associate as a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” As an MSP ourselves, Connectria would be considered a Business Associate because we store our customer’s Protected Health Information (PHI) in our cloud.
Most SaaS developer of healthcare solutions would also be considered Business Associates because their solutions handle PHI, and they store PHI on their servers, in a third-party data center, or in a hyperscale cloud such as AWS or Azure. For example, we have customers that are SaaS developers that house their solutions in one of our data centers, and we have SaaS developers who rely on us for the configuration and on-going management of their AWS and Azure clouds.
“We initially chose Connectria since they were a reputable hosting provider but also since they’re one of the rare providers with a strong HIPAA compliant hosting background. Connectria really helped us get off the ground. They fully understood compliance, what is required and how to help us achieve and maintain compliance. We found there just weren’t many hosting companies out there with that level of experience.”
Joe Lesters, EVP, Technology, ePreop
As a SaaS developer, you should also know that there are no changes to either the HIPAA or HITECH regulations announced in this fact sheet. Reading the opinion pieces regarding this announcement, it seems some believe that, prior to this fact sheet, Business Associates could not be held liable by the HHS’s Office of Civil Rights (OCR). (Though they could be held liable by the healthcare organizations whose PHI they handled.)
We believe Business Associates could always be held liable. If not, wouldn’t HHS have amended the actual regulations instead of just issuing a fact sheet? In previous administrations, the OCR just chose to place the burden of compliance on the healthcare provider. Of course, I should state that we are not lawyers, and questions of liability should always be referred to qualified legal counsel.
The OCR can still hold your healthcare customers (known as ‘covered entities’ in HIPAA and HITECH) responsible for any violations committed by their Business Associates as well. Healthcare organizations are still responsible for ensuring the privacy and protection of the PHI they collect regardless of where it resides. If it is being handled by a third-party on their behalf, they’re still responsible for it.
As we see it, there aren’t many limitations to what the Business Associate can be held liable for. Some pundits are making a big deal about the fact sheet containing this statement: ‘OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.’ But then, when you read the 10-point list, you’ll see it’s fairly comprehensive and includes pretty much everything related to PHI.
There is no official certification for HIPAA/HITECH compliance, but our data centers (and our people) go through rigorous testing each year. We’ve also compiled a 35-point checklist on what healthcare organizations should look for in an MSP that you can use to do a high-level assessment of your own capabilities or any third party MSPs you’re considering working with.