By JACOB REIDER & JODI DANIEL
Jacob: I not too long ago wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many massive internet hosting suppliers for a brand new well being IT challenge. What ought to have been simple changed into a multi-week instructional train about fundamental HIPAA compliance. And after I say “fundamental,” I imply actually fundamental, just like the definitions within the statute itself.
Right here’s what occurred and why it’s good to be careful for this if you happen to’re constructing well being care expertise.
I’m constructing a system that automates scientific information extraction for analysis research. Like all accountable well being care tech firm, I want HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is nice technically, they usually’re internet hosting our improvement surroundings, so I signed up for his or her enhanced assist plan (which they require earlier than they’ll even take into account a BAA) and requested their normal settlement.
The Drawback
HC’s BAA assumes each buyer is a “Lined Entity.” Which means a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being info electronically.
However that’s not me. I’m not a Lined Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being info on behalf of Lined Entities. After I want cloud infrastructure, I want my distributors to signal subcontractor BAAs with me.
The Again and Forth
After I instructed HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a staff lead got here again with this response:
“To HC, even if you’re a subcontracted or a down the road subcontracted affiliation. It could nonetheless be an settlement between the coated entity inside the settlement and HC… So even being a enterprise affiliate, it could nonetheless be thought of a coated entity since it’s your enterprise that’s being coated.”
I needed to learn it twice. That is merely incorrect.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra widespread than it must be.
The phrases “Lined Entity” and “Enterprise Affiliate” aren’t interchangeable advertising and marketing phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You may’t simply redefine them as a result of it’s administratively handy. Usually… coated entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being info to carry out companies on behalf of coated entities; and subcontractors are individuals to whom a enterprise affiliate delegates a operate, exercise, or service.
Right here’s what the laws really say:
Lined entities are required to have BAAs with the entities that use protected well being info to offer companies on their behalf (i.e., their enterprise associates or BAs) beneath 45 CFR § 164.502(e). Beneath 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs usually are not simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, preserve, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (typically known as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Lined entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s taking place in Jacob’s state of affairs:
- The Lined Entities (the well being care suppliers within the analysis examine) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, will need to have BAAs with any Subcontractors like HC that will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA by this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all anticipate the contractual chain to reflect the precise information circulation. Getting the terminology incorrect isn’t simply semantically annoying—it’s misrepresenting the laws and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible downside: I couldn’t legally signal a doc stating that my firm is a Lined Entity when it’s not.
I defined this to HC, cited the particular CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Lined Entities and BAs in the identical doc.
HC’s staff stated they’d request the language change, and I’m happy to convey that (after practically three weeks of back-and-forth) now we have executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not acceptable to signal a doc that claims you’re a coated entity if you’re not one. For those who’re constructing well being care expertise, right here’s what it’s good to know:
- Perceive your position within the HIPAA framework. Are you a Lined Entity or a BA? Most tech corporations are BAs. For those who’re offering companies to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re nearly actually a BA (or a subcontractor BA), not a CE.
- Learn the BAA fastidiously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Lined Entities as prospects, that’s a purple flag that they haven’t thought by the subcontractor state of affairs. (And the detailed necessities of the BAA matter too, however that could be a subject for one more weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your position, ask them to revise the language or present you to an legal professional who understands HIPAA.
Jacob: And so …
- Be ready to coach. Many cloud suppliers’ authorized groups (and their attorneys) don’t absolutely perceive HIPAA’s cascade necessities. You might must stroll them by it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this 1000’s of occasions.
- Price range time for this course of. What ought to take a day can take per week or extra if you happen to hit authorized confusion. Plan accordingly, particularly in case you have a launch deadline.
The Greater Image
Jacob: HC isn’t distinctive. I’ve seen this identical confusion at smaller internet hosting suppliers, SaaS corporations, and even some bigger tech companies. The well being care business’s regulatory complexity means distributors usually copy BAA templates with out actually understanding them.
The irony? HC makes you pay further for the “privilege” of signing their BAA. They cost for enhanced assist as a prerequisite. Not all cloud suppliers or different expertise platforms cost extra.
Jodi: From a authorized perspective, this example highlights a broader difficulty in well being tech. As extra non-health care corporations enter the house (cloud suppliers, AI corporations, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be glorious at tech transactions or basic business regulation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template modifications HC made aren’t advanced. They simply wanted so as to add language that accommodates each eventualities: prospects who’re Lined Entities and prospects who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is performing as a Lined Entity or a Enterprise Affiliate.” That’s it. Drawback solved.
After all… it is smart to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a number of different points that will impression your online business and use of PHI.
Jacob: Backside line: if you happen to’re in the same state of affairs, cite the particular CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they gained’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a companion at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
