By JACOB REIDER & JODI DANIEL
Jacob: I lately wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many giant internet hosting suppliers for a brand new well being IT venture. What ought to have been simple become a multi-week instructional train about fundamental HIPAA compliance. And after I say “fundamental,” I imply actually fundamental, just like the definitions within the statute itself.
Right here’s what occurred and why you should be careful for this for those who’re constructing well being care expertise.
I’m constructing a system that automates scientific knowledge extraction for analysis research. Like several accountable well being care tech firm, I would like HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is nice technically, they usually’re internet hosting our improvement atmosphere, so I signed up for his or her enhanced assist plan (which they require earlier than they’ll even think about a BAA) and requested their normal settlement.
The Downside
HC’s BAA assumes each buyer is a “Lined Entity.” Which means a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being data electronically.
However that’s not me. I’m not a Lined Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being data on behalf of Lined Entities. After I want cloud infrastructure, I would like my distributors to signal subcontractor BAAs with me.
The Again and Forth
After I instructed HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a workforce lead got here again with this response:
“To HC, even in case you are a subcontracted or a down the road subcontracted affiliation. It might nonetheless be an settlement between the coated entity throughout the settlement and HC… So even being a enterprise affiliate, it will nonetheless be thought of a coated entity since it’s your enterprise that’s being coated.”
I needed to learn it twice. That is merely improper.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra frequent than it needs to be.
The phrases “Lined Entity” and “Enterprise Affiliate” aren’t interchangeable advertising and marketing phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You possibly can’t simply redefine them as a result of it’s administratively handy. Typically… coated entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being data to carry out companies on behalf of coated entities; and subcontractors are individuals to whom a enterprise affiliate delegates a operate, exercise, or service.
Right here’s what the rules really say:
Lined entities are required to have BAAs with the entities that use protected well being data to supply companies on their behalf (i.e., their enterprise associates or BAs) beneath 45 CFR § 164.502(e). Below 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs will not be simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, keep, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (typically known as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Lined entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s taking place in Jacob’s scenario:
- The Lined Entities (the well being care suppliers within the analysis research) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, should have BAAs with any Subcontractors like HC that will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA via this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all count on the contractual chain to reflect the precise knowledge stream. Getting the terminology improper isn’t simply semantically annoying—it’s misrepresenting the rules and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible drawback: I couldn’t legally signal a doc stating that my firm is a Lined Entity when it’s not.
I defined this to HC, cited the particular CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Lined Entities and BAs in the identical doc.
HC’s workforce mentioned they’d request the language change, and I’m happy to convey that (after almost three weeks of back-and-forth) now we have executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not applicable to signal a doc that claims you’re a coated entity whenever you’re not one. For those who’re constructing well being care expertise, right here’s what you should know:
- Perceive your function within the HIPAA framework. Are you a Lined Entity or a BA? Most tech corporations are BAs. For those who’re offering companies to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re nearly definitely a BA (or a subcontractor BA), not a CE.
- Learn the BAA fastidiously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Lined Entities as clients, that’s a crimson flag that they haven’t thought via the subcontractor situation. (And the detailed necessities of the BAA matter too, however that may be a matter for one more weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your function, ask them to revise the language or present you to an lawyer who understands HIPAA.
Jacob: And so …
- Be ready to coach. Many cloud suppliers’ authorized groups (and their attorneys) don’t absolutely perceive HIPAA’s cascade necessities. You might must stroll them via it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this hundreds of occasions.
- Price range time for this course of. What ought to take a day can take per week or extra for those who hit authorized confusion. Plan accordingly, particularly in case you have a launch deadline.
The Larger Image
Jacob: HC isn’t distinctive. I’ve seen this similar confusion at smaller internet hosting suppliers, SaaS corporations, and even some bigger tech companies. The well being care business’s regulatory complexity means distributors typically copy BAA templates with out actually understanding them.
The irony? HC makes you pay further for the “privilege” of signing their BAA. They cost for enhanced assist as a prerequisite. Not all cloud suppliers or different expertise platforms cost extra.
Jodi: From a authorized perspective, this example highlights a broader problem in well being tech. As extra non-health care corporations enter the area (cloud suppliers, AI corporations, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be glorious at tech transactions or common industrial regulation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template adjustments HC made aren’t advanced. They simply wanted so as to add language that accommodates each eventualities: clients who’re Lined Entities and clients who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is performing as a Lined Entity or a Enterprise Affiliate.” That’s it. Downside solved.
After all… it is sensible to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a number of different points that will impression your small business and use of PHI.
Jacob: Backside line: for those who’re in the same scenario, cite the particular CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they received’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a accomplice at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
