By JACOB REIDER & JODI DANIEL
Jacob: I not too long ago wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many giant internet hosting suppliers for a brand new well being IT challenge. What ought to have been simple become a multi-week academic train about fundamental HIPAA compliance. And after I say “fundamental,” I imply actually fundamental, just like the definitions within the statute itself.
Right here’s what occurred and why it’s essential to be careful for this in the event you’re constructing well being care know-how.
I’m constructing a system that automates scientific knowledge extraction for analysis research. Like several accountable well being care tech firm, I would like HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is nice technically, and so they’re internet hosting our improvement surroundings, so I signed up for his or her enhanced assist plan (which they require earlier than they’ll even think about a BAA) and requested their normal settlement.
The Downside
HC’s BAA assumes each buyer is a “Coated Entity.” Meaning a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being info electronically.
However that’s not me. I’m not a Coated Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being info on behalf of Coated Entities. After I want cloud infrastructure, I would like my distributors to signal subcontractor BAAs with me.
The Again and Forth
After I informed HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a crew lead got here again with this response:
“To HC, even if you’re a subcontracted or a down the road subcontracted affiliation. It might nonetheless be an settlement between the coated entity inside the settlement and HC… So even being a enterprise affiliate, it might nonetheless be thought of a coated entity since it’s your enterprise that’s being coated.”
I needed to learn it twice. That is merely improper.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra frequent than it must be.
The phrases “Coated Entity” and “Enterprise Affiliate” aren’t interchangeable advertising and marketing phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You may’t simply redefine them as a result of it’s administratively handy. Typically… coated entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being info to carry out providers on behalf of coated entities; and subcontractors are individuals to whom a enterprise affiliate delegates a perform, exercise, or service.
Right here’s what the laws really say:
Coated entities are required to have BAAs with the entities that use protected well being info to offer providers on their behalf (i.e., their enterprise associates or BAs) beneath 45 CFR § 164.502(e). Beneath 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs aren’t simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, preserve, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (generally referred to as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Coated entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s occurring in Jacob’s scenario:
- The Coated Entities (the well being care suppliers within the analysis examine) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, will need to have BAAs with any Subcontractors like HC that will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA by way of this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all anticipate the contractual chain to reflect the precise knowledge circulate. Getting the terminology improper isn’t simply semantically annoying—it’s misrepresenting the laws and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible drawback: I couldn’t legally signal a doc stating that my firm is a Coated Entity when it’s not.
I defined this to HC, cited the precise CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Coated Entities and BAs in the identical doc.
HC’s crew stated they’d request the language change, and I’m happy to convey that (after almost three weeks of back-and-forth) now we have executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not acceptable to signal a doc that claims you’re a coated entity while you’re not one. For those who’re constructing well being care know-how, right here’s what it’s essential to know:
- Perceive your position within the HIPAA framework. Are you a Coated Entity or a BA? Most tech corporations are BAs. For those who’re offering providers to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re virtually definitely a BA (or a subcontractor BA), not a CE.
- Learn the BAA fastidiously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Coated Entities as prospects, that’s a crimson flag that they haven’t thought by way of the subcontractor state of affairs. (And the detailed necessities of the BAA matter too, however that may be a matter for an additional weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your position, ask them to revise the language or present you to an legal professional who understands HIPAA.
Jacob: And so …
- Be ready to teach. Many cloud suppliers’ authorized groups (and their attorneys) don’t totally perceive HIPAA’s cascade necessities. You might must stroll them by way of it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this 1000’s of instances.
- Finances time for this course of. What ought to take a day can take per week or extra in the event you hit authorized confusion. Plan accordingly, particularly when you’ve got a launch deadline.
The Larger Image
Jacob: HC isn’t distinctive. I’ve seen this identical confusion at smaller internet hosting suppliers, SaaS corporations, and even some bigger tech corporations. The well being care business’s regulatory complexity means distributors typically copy BAA templates with out actually understanding them.
The irony? HC makes you pay further for the “privilege” of signing their BAA. They cost for enhanced assist as a prerequisite. Not all cloud suppliers or different know-how platforms cost extra.
Jodi: From a authorized perspective, this example highlights a broader subject in well being tech. As extra non-health care corporations enter the house (cloud suppliers, AI corporations, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be glorious at tech transactions or common business legislation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template adjustments HC made aren’t advanced. They simply wanted so as to add language that accommodates each situations: prospects who’re Coated Entities and prospects who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is appearing as a Coated Entity or a Enterprise Affiliate.” That’s it. Downside solved.
In fact… it is sensible to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a number of different points that will impression what you are promoting and use of PHI.
Jacob: Backside line: in the event you’re in the same scenario, cite the precise CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they gained’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a companion at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
