HHS releases new ‘fact sheet’ on Business Associate liability

The agencies responsible for IT security and data privacy have a lot of flexibility over what they choose to prosecute. You don’t need to be a mind-reader to know what they’re thinking though. All you have to do is look at the statements and guidance they release. So, when I saw that a new fact sheet had been released on Business Associate Liability under HIPAA, I took notice. If you’re a software developer creating SaaS applications for healthcare, here are some things you need to know.

What is a Business Associate?

HHS defines a Business Associate as a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Connectria would be considered a Business Associate because we store our customer’s Protected Health Information (PHI) in our cloud.

Most SaaS developers of healthcare solutions would also be considered Business Associates because their solutions handle PHI. They also store PHI on their servers, in a third-party data center, or in a hyperscale cloud such as AWS or Azure. For example, we have customers that are SaaS developers that house their solutions in one of our data centers. SaaS developers also rely on us for the configuration and on-going management of their AWS and Azure clouds.

“We initially chose Connectria since they were a reputable hosting provider. We also chose them because they’re one of the rare providers with a strong HIPAA compliant hosting background. Connectria really helped us get off the ground. They fully understood compliance, what is required and how to help us achieve and maintain compliance. We found there just weren’t many hosting companies out there with that level of experience.”

Joe Lesters, EVP, Technology, ePreop

Liability

As a SaaS developer, you should also know that there are no changes to either the HIPAA or HITECH regulations announced in this fact sheet. It seems some believe that, prior to this fact sheet, Business Associates could not be held liable by the HHS’s Office of Civil Rights (OCR). Though they could be held liable by the healthcare organizations whose PHI they handled.

We believe Business Associates could always be held liable. If not, wouldn’t HHS have amended the actual regulations instead of just issuing a fact sheet? In previous administrations, the OCR just chose to place the burden of compliance on the healthcare provider. Of course, I should state that we are not lawyers, and questions of liability should always be referred to a qualified legal counsel.

Privacy and Protection

The OCR can still hold your healthcare customers responsible for any violations committed by their Business Associates as well. Healthcare organizations are still responsible for ensuring the privacy and protection of the PHI they collect regardless of where it resides. If it is being handled by a third-party on their behalf, they’re still responsible for it.

As we see it, there aren’t many limitations to what the Business Associate can be held liable for. Some pundits are making a big deal about the fact sheet containing this statement: ‘OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.’ But then, when you read the 10-point list, you’ll see it’s fairly comprehensive and includes pretty much everything related to PHI.

Contact Connectria for more information. While there is no official certification for HIPAA/HITECH compliance, our data centers and our people go through rigorous testing each year. We’ve also compiled a 35-point checklist on what healthcare organizations should look for in an MSP. You can use it to do a high-level assessment of your own capabilities or any third party MSPs you’re considering.