The healthcare industry has come up against unprecedented pressure in recent years. Digital transformation has had a significant role to play when it comes to creating the efficiency needed to deal with the challenges of a global pandemic, in addition to the other mounting challenges of aging populations, staffing shortages, rising costs, and regulatory changes.
But whilst digital transformation has unquestionably benefited the healthcare sector, it is not without its challenges. As more healthcare entities come together to deliver professional services, HIPAA compliance must still be maintained in order to preserve and protect data privacy and patient confidentiality.
In this article, we’ll explore some of the opportunities and best practices that should be considered with regard to HIPAA regulations and Business Associate Agreements, as healthcare becomes increasingly collaborative and digital.
The Rise of Collaborative Technology in Healthcare
Healthcare as a sector is constantly evolving – specialist providers, vendors, services, and support software all come together to contribute towards improved patient experience and outcomes. In the modern age, this means a great deal of shared digital information – information that is often highly personal and confidential – requiring the utmost of caution when it comes to the way in which it is handled and transferred.
Digital collaboration has become increasingly essential in recent times. With the rise of computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, medical data now pass through a wide range of vendors and entities. Similarly, from data input to payment, modern health plans provide digital access to claims, as well as care management and self-service applications.
As healthcare becomes complex and pressured, there’s a need for more intersectionality between HIPAA-covered entities and the vendors they rely upon. Collaborative technology represents a huge opportunity here, with the potential to streamline processes and create efficiencies within established workflows. But when it comes to compliance, care must be taken – HIPAA-compliant business associate agreements need to factor in the additional aspects and challenges of digital collaboration.
What is a HIPAA-Compliant Business Associate Agreement?
What is meant by a HIPAA-Compliant Business Associate Agreement? Within the scope of the healthcare sector, a “business associate” refers to a person or entity that provides certain services to (or undertakes functions or activities on behalf of) a covered entity – and which, in the undertaking of this role, requires access to be granted (by the covered entity) to protected health information (PHI.)
A business associate can also refer to a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. When considering the scope of digital collaboration, this is a particularly important distinction. It means that a vendor is also classed as a BA if, as part of the services they provide, electronic PHI (ePHI) passes through their systems.
For example, if you’re using Slack to communicate within your healthcare-related business, and sharing PHI on the platform, this means that Slack is a business associate, and as such, a business associate agreement (BAA) would need to be established.
A business associate agreement is a contract that defines the types of protected health information (PHI) that will be provided to the business associate in question. It will also stipulate the allowable uses and disclosures of PHI, as well as the special measures that must be implemented to protect that information. This might include conditions such as mandatory encryption – at rest and in transit. Additionally, a BAA will commonly define the actions that the business associate must take if a breach of data occurs, in order to mitigate damage caused.
Meeting HIPAA Head On
HIPAA stands for “The Health Insurance Portability and Accountability Act” – a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996.
As personally identifiable information (PII) held and maintained by healthcare and health insurance industries became increasingly portable, HIPAA compliance rules were enacted primarily to modernize the flow of this valuable data, at the same time as protecting it from theft and fraud.
The act plays a crucial role in protecting patient privacy and confidentiality, securing protected health information (PHI) that could be used to identify a patient or client of an entity. Common examples of PHI include names, addresses, full facial photos, phone numbers, medical records, financial information or Social Security numbers.
The rise of electronic protected health information (ePHI) has necessitated a new and highly conscious approach towards the execution of BAAs. As already highlighted, if ePHI is passing through software used to collaborate or communicate with colleagues or other business associates, a fully compliant BAA must be in place.
Some of the pitfalls commonly encountered here include assuming that encryption alone is enough to comply, that compliance “starts and ends” with a signed BAA (“satisfactory assurances” must still be actively pursued!) and misunderstandings concerning the “conduit” exception (while there are exceptions for entities through which ePHI simply passes most cloud service and software providers will still require HIPAA compliance and BAAs.)
Financial Penalties: What’s at Stake?
Business Associate Agreements are required by law and HIPAA breaches can occur as a result of failing to sign BAAs with cloud vendors. Penalties for HIPAA violations fall within four tiers, each relating to the degree of culpability found to be applicable.
A Tier 1 violation would be ascribed if the entity in question was unaware of their HIPAA violation, and by exercising reasonable due diligence would not have known that HIPAA rules had been violated. This would carry a maximum penalty of $25,000 per year. At the other end of the spectrum, a Tier 4 violation would occur as a result of willful neglect of HIPAA rules, with no effort made to correct the violation within 30 days of discovery. A Tier 4 violation would carry a penalty of as much as $1.5 million per year.
HIPAA-beholden entities can and do fall foul of these regulations. Many financial penalties for business associate agreement failures have been issued by The HHS’ Office for Civil Rights, after failing to obtain a signed HIPAA-compliant BAA from at least one vendor. 2016 was a particularly notable year for these prosecutions, with Raleigh Orthopaedic Clinic, P.A. of North Carolina fined $750,000, North Memorial Health Care of Minnesota $1,550,000 and Oregon Health & Science University receiving a penalty of $2,700,000.
Ensuring Best Practice and Compliance
When it comes to ensuring that HIPAA-Compliant Business Associate Agreements can be made and upheld, what are some of the best practices to establish and maintain? The U.S. Department of Health and Human Services (HHS) places focus on both the physical and the technical safeguards that entities hosting sensitive ePHI should observe.
- Limited facility access and control with authorized access in place
- Policies about use and access to workstations and electronic media
- Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI
Access control can also provide technical safeguards necessary for compliance, and these might included measures such as:
- Using unique user IDs
- Emergency access procedures
- Automatic log off
- Audit reports or tracking logs (recording activity on hardware and software)
When thinking about the perspective of shared collaborative platforms specifically, best practices include:
- Monitoring for data leakage
- The ability to view deleted or edited messages to check for policy compliance
- Keeping searchable logs to enable easy auditing and eDiscovery
How Pagefreezer Helps Achieve Safer Digital Collaboration Within Healthcare
As we’ve seen, the establishment of valid and compliant BAAs is essential in order to meet the strict regulatory requirements of HIPAA. However, BAAs require more than a signature – the entities involved must demonstrate the “satisfactory assurances” that compliance is being actively pursued.
That’s where a solution such as Pagefreezer can come into play. By providing automated archiving of online data, Pagefreezer can help to improve information governance, ensuring an easier auditing process, and instant access to any data that might be required as the result of an eDiscovery request.
Similarly, keyword monitoring and alerts, calibrated to detect sensitive ePHI shared outside of policy use can greatly assist in data loss prevention. If a HIPAA transgression is alleged, conversation logs can swiftly be placed on legal hold, with just a couple of clicks, ensuring that all digital evidence is safe from deletion and securely preserved.
Get Ready For The Future Of Digital Collaboration In Healthcare
As our healthcare system continues to adapt, evolve, and improve, the need for safe, secure, and compliant digital collaboration will only increase. BAAs will continue to be a baseline necessity, but beyond ensuring these are in place, it will become increasingly important for responsible entities to invest additional care and consideration into the way that they are upheld and maintained.
Online social and collaboration platforms have the capacity to represent a “weak point” when it comes to data leakage – and yet they will undoubtedly continue to represent an important component of modern healthcare. Solutions such as Pagefreezer can help play a role in actively reducing this risk, demonstrating the fact that compliance with the conditions set by a BAA is actively being pursued.