By JACOB REIDER & JODI DANIEL
Jacob: I just lately wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many giant internet hosting suppliers for a brand new well being IT challenge. What ought to have been simple changed into a multi-week instructional train about primary HIPAA compliance. And once I say “primary,” I imply actually primary, just like the definitions within the statute itself.
Right here’s what occurred and why it’s worthwhile to be careful for this in case you’re constructing well being care know-how.
I’m constructing a system that automates scientific information extraction for analysis research. Like every accountable well being care tech firm, I want HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is sweet technically, they usually’re internet hosting our growth atmosphere, so I signed up for his or her enhanced assist plan (which they require earlier than they’ll even contemplate a BAA) and requested their normal settlement.
The Downside
HC’s BAA assumes each buyer is a “Coated Entity.” Which means a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being info electronically.
However that’s not me. I’m not a Coated Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being info on behalf of Coated Entities. Once I want cloud infrastructure, I want my distributors to signal subcontractor BAAs with me.
The Again and Forth
Once I advised HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a group lead got here again with this response:
“To HC, even in case you are a subcontracted or a down the road subcontracted affiliation. It could nonetheless be an settlement between the lined entity inside the settlement and HC… So even being a enterprise affiliate, it might nonetheless be thought-about a lined entity since it’s your enterprise that’s being lined.”
I needed to learn it twice. That is merely unsuitable.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra widespread than it needs to be.
The phrases “Coated Entity” and “Enterprise Affiliate” aren’t interchangeable advertising and marketing phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You may’t simply redefine them as a result of it’s administratively handy. Usually… lined entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being info to carry out companies on behalf of lined entities; and subcontractors are individuals to whom a enterprise affiliate delegates a operate, exercise, or service.
Right here’s what the rules truly say:
Coated entities are required to have BAAs with the entities that use protected well being info to supply companies on their behalf (i.e., their enterprise associates or BAs) beneath 45 CFR § 164.502(e). Below 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs aren’t simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, keep, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (generally referred to as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Coated entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s occurring in Jacob’s scenario:
- The Coated Entities (the well being care suppliers within the analysis examine) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, will need to have BAAs with any Subcontractors like HC which will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA by this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all anticipate the contractual chain to reflect the precise information circulation. Getting the terminology unsuitable isn’t simply semantically annoying—it’s misrepresenting the rules and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible drawback: I couldn’t legally signal a doc stating that my firm is a Coated Entity when it’s not.
I defined this to HC, cited the particular CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Coated Entities and BAs in the identical doc.
HC’s group stated they’d request the language change, and I’m happy to convey that (after practically three weeks of back-and-forth) we have now executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not applicable to signal a doc that claims you’re a lined entity if you’re not one. Should you’re constructing well being care know-how, right here’s what it’s worthwhile to know:
- Perceive your function within the HIPAA framework. Are you a Coated Entity or a BA? Most tech firms are BAs. Should you’re offering companies to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re virtually actually a BA (or a subcontractor BA), not a CE.
- Learn the BAA fastidiously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Coated Entities as prospects, that’s a crimson flag that they haven’t thought by the subcontractor state of affairs. (And the detailed necessities of the BAA matter too, however that may be a matter for one more weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your function, ask them to revise the language or present you to an legal professional who understands HIPAA.
Jacob: And so …
- Be ready to teach. Many cloud suppliers’ authorized groups (and their attorneys) don’t absolutely perceive HIPAA’s cascade necessities. You could have to stroll them by it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this 1000’s of instances.
- Price range time for this course of. What ought to take a day can take per week or extra in case you hit authorized confusion. Plan accordingly, particularly you probably have a launch deadline.
The Larger Image
Jacob: HC isn’t distinctive. I’ve seen this identical confusion at smaller internet hosting suppliers, SaaS firms, and even some bigger tech companies. The well being care trade’s regulatory complexity means distributors typically copy BAA templates with out actually understanding them.
The irony? HC makes you pay additional for the “privilege” of signing their BAA. They cost for enhanced assist as a prerequisite. Not all cloud suppliers or different know-how platforms cost extra.
Jodi: From a authorized perspective, this example highlights a broader situation in well being tech. As extra non-health care firms enter the house (cloud suppliers, AI firms, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be wonderful at tech transactions or common industrial legislation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template adjustments HC made aren’t advanced. They only wanted so as to add language that accommodates each eventualities: prospects who’re Coated Entities and prospects who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is appearing as a Coated Entity or a Enterprise Affiliate.” That’s it. Downside solved.
After all… it is smart to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a bunch of different points which will influence your corporation and use of PHI.
Jacob: Backside line: in case you’re in the same scenario, cite the particular CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they gained’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a companion at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
