By JACOB REIDER & JODI DANIEL
Jacob: I lately wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many giant internet hosting suppliers for a brand new well being IT undertaking. What ought to have been easy was a multi-week instructional train about primary HIPAA compliance. And after I say “primary,” I imply actually primary, just like the definitions within the statute itself.
Right here’s what occurred and why it is advisable to be careful for this in case you’re constructing well being care know-how.
I’m constructing a system that automates scientific information extraction for analysis research. Like all accountable well being care tech firm, I would like HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is sweet technically, they usually’re internet hosting our growth surroundings, so I signed up for his or her enhanced help plan (which they require earlier than they’ll even take into account a BAA) and requested their commonplace settlement.
The Drawback
HC’s BAA assumes each buyer is a “Coated Entity.” Meaning a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being data electronically.
However that’s not me. I’m not a Coated Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being data on behalf of Coated Entities. After I want cloud infrastructure, I would like my distributors to signal subcontractor BAAs with me.
The Again and Forth
After I instructed HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a staff lead got here again with this response:
“To HC, even in case you are a subcontracted or a down the road subcontracted affiliation. It might nonetheless be an settlement between the coated entity throughout the settlement and HC… So even being a enterprise affiliate, it could nonetheless be thought of a coated entity since it’s your enterprise that’s being coated.”
I needed to learn it twice. That is merely incorrect.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra widespread than it ought to be.
The phrases “Coated Entity” and “Enterprise Affiliate” aren’t interchangeable advertising phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You may’t simply redefine them as a result of it’s administratively handy. Typically… coated entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being data to carry out companies on behalf of coated entities; and subcontractors are individuals to whom a enterprise affiliate delegates a perform, exercise, or service.
Right here’s what the rules truly say:
Coated entities are required to have BAAs with the entities that use protected well being data to supply companies on their behalf (i.e., their enterprise associates or BAs) underneath 45 CFR § 164.502(e). Underneath 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs usually are not simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, keep, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (generally referred to as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Coated entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s occurring in Jacob’s scenario:
- The Coated Entities (the well being care suppliers within the analysis examine) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, will need to have BAAs with any Subcontractors like HC which will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA by way of this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all anticipate the contractual chain to reflect the precise information move. Getting the terminology incorrect isn’t simply semantically annoying—it’s misrepresenting the rules and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible drawback: I couldn’t legally signal a doc stating that my firm is a Coated Entity when it’s not.
I defined this to HC, cited the particular CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Coated Entities and BAs in the identical doc.
HC’s staff stated they’d request the language change, and I’m happy to convey that (after practically three weeks of back-and-forth) now we have executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not applicable to signal a doc that claims you’re a coated entity whenever you’re not one. For those who’re constructing well being care know-how, right here’s what it is advisable to know:
- Perceive your function within the HIPAA framework. Are you a Coated Entity or a BA? Most tech corporations are BAs. For those who’re offering companies to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re virtually definitely a BA (or a subcontractor BA), not a CE.
- Learn the BAA rigorously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Coated Entities as clients, that’s a purple flag that they haven’t thought by way of the subcontractor situation. (And the detailed necessities of the BAA matter too, however that could be a matter for one more weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your function, ask them to revise the language or present you to an lawyer who understands HIPAA.
Jacob: And so …
- Be ready to coach. Many cloud suppliers’ authorized groups (and their attorneys) don’t absolutely perceive HIPAA’s cascade necessities. It’s possible you’ll must stroll them by way of it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this hundreds of instances.
- Price range time for this course of. What ought to take a day can take every week or extra in case you hit authorized confusion. Plan accordingly, particularly you probably have a launch deadline.
The Larger Image
Jacob: HC isn’t distinctive. I’ve seen this identical confusion at smaller internet hosting suppliers, SaaS corporations, and even some bigger tech companies. The well being care trade’s regulatory complexity means distributors typically copy BAA templates with out actually understanding them.
The irony? HC makes you pay further for the “privilege” of signing their BAA. They cost for enhanced help as a prerequisite. Not all cloud suppliers or different know-how platforms cost extra.
Jodi: From a authorized perspective, this case highlights a broader subject in well being tech. As extra non-health care corporations enter the area (cloud suppliers, AI corporations, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be wonderful at tech transactions or basic industrial regulation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template modifications HC made aren’t advanced. They simply wanted so as to add language that accommodates each situations: clients who’re Coated Entities and clients who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is appearing as a Coated Entity or a Enterprise Affiliate.” That’s it. Drawback solved.
In fact… it is smart to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a number of different points which will influence your corporation and use of PHI.
Jacob: Backside line: in case you’re in an identical scenario, cite the particular CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they received’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a associate at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
