By JACOB REIDER & JODI DANIEL
Jacob: I not too long ago wanted to signal a Enterprise Affiliate Settlement (BAA) with one of many giant internet hosting suppliers for a brand new well being IT venture. What ought to have been easy was a multi-week academic train about primary HIPAA compliance. And once I say “primary,” I imply actually primary, just like the definitions within the statute itself.
Right here’s what occurred and why it’s essential to be careful for this if you happen to’re constructing well being care expertise.
I’m constructing a system that automates scientific information extraction for analysis research. Like several accountable well being care tech firm, I want HIPAA-compliant infrastructure. The corporate (I’ll name them Internet hosting Firm or HC) is nice technically, they usually’re internet hosting our improvement setting, so I signed up for his or her enhanced help plan (which they require earlier than they’ll even take into account a BAA) and requested their commonplace settlement.
The Drawback
HC’s BAA assumes each buyer is a “Lined Entity.” Which means a well being plan, a well being care clearinghouse, or a well being care supplier that transmits well being data electronically.
However that’s not me. I’m not a Lined Entity. I’m a Enterprise Affiliate (BA). I deal with protected well being data on behalf of Lined Entities. Once I want cloud infrastructure, I want my distributors to signal subcontractor BAAs with me.
The Again and Forth
Once I instructed HC that I couldn’t signal their BAA as written, they escalated to their authorized division. Days later, a group lead got here again with this response:
“To HC, even in case you are a subcontracted or a down the road subcontracted affiliation. It will nonetheless be an settlement between the lined entity inside the settlement and HC… So even being a enterprise affiliate, it could nonetheless be thought of a lined entity since it’s your enterprise that’s being lined.”
I needed to learn it twice. That is merely flawed.
Jodi: Let me chime in right here with the authorized perspective, as a result of this confusion is extra widespread than it needs to be.
The phrases “Lined Entity” and “Enterprise Affiliate” aren’t interchangeable advertising and marketing phrases. They’ve particular authorized definitions in 45 CFR § 160.103. You possibly can’t simply redefine them as a result of it’s administratively handy. Usually… lined entities are (most) well being care suppliers, well being plans, and well being care clearinghouses; enterprise associates are these entities which have entry to protected well being data to carry out companies on behalf of lined entities; and subcontractors are individuals to whom a enterprise affiliate delegates a operate, exercise, or service.
Right here’s what the rules truly say:
Lined entities are required to have BAAs with the entities that use protected well being data to supply companies on their behalf (i.e., their enterprise associates or BAs) beneath 45 CFR § 164.502(e). Below 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs usually are not simply permitted however required to execute subcontractor BAAs with different distributors that create, obtain, preserve, or transmit PHI on their behalf.
When that occurs, the subcontractor additionally turns into a BA (generally known as a “Enterprise Affiliate of a Enterprise Affiliate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Lined entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).
That’s precisely what’s occurring in Jacob’s state of affairs:
- The Lined Entities (the well being care suppliers within the analysis examine) have BAAs with Jacob’s firm (making him a BA).
- Jacob’s firm, in flip, should have BAAs with any Subcontractors like HC which will deal with PHI on behalf of Jacob’s firm.
- HC turns into a BA by way of this subcontractor relationship.
The excellence issues for compliance and audit functions. OCR, SOC 2 auditors, and HITRUST assessors all anticipate the contractual chain to reflect the precise information stream. Getting the terminology flawed isn’t simply semantically annoying—it’s misrepresenting the rules and the connection between the events in a authorized doc.
Jacob: Yup… and right here’s the sensible drawback: I couldn’t legally signal a doc stating that my firm is a Lined Entity when it’s not.
I defined this to HC, cited the particular CFR sections Jodi simply talked about, and even despatched them examples from Google Cloud’s BAA, which handles each Lined Entities and BAs in the identical doc.
HC’s group stated they’d request the language change, and I’m happy to convey that (after almost three weeks of back-and-forth) we’ve executed a correct BAA.
What This Means for You
Jodi: You’re proper, Jacob. It’s not acceptable to signal a doc that claims you’re a lined entity if you’re not one. If you happen to’re constructing well being care expertise, right here’s what it’s essential to know:
- Perceive your position within the HIPAA framework. Are you a Lined Entity or a BA? Most tech firms are BAs. If you happen to’re offering companies to well being care suppliers, well being plans, or clearinghouses and also you deal with PHI within the course of, you’re virtually definitely a BA (or a subcontractor BA), not a CE.
- Learn the BAA rigorously earlier than signing. The terminology issues. If a vendor’s BAA solely contemplates Lined Entities as prospects, that’s a purple flag that they haven’t thought by way of the subcontractor state of affairs. (And the detailed necessities of the BAA matter too, however that may be a subject for one more weblog).
- Don’t be afraid to push again. If a vendor insists you signal one thing that mischaracterizes your position, ask them to revise the language or present you to an legal professional who understands HIPAA.
Jacob: And so …
- Be ready to teach. Many cloud suppliers’ authorized groups (and their attorneys) don’t absolutely perceive HIPAA’s cascade necessities. It’s possible you’ll must stroll them by way of it. Level them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have handled this hundreds of occasions.
- Price range time for this course of. What ought to take a day can take every week or extra if you happen to hit authorized confusion. Plan accordingly, particularly in case you have a launch deadline.
The Larger Image
Jacob: HC isn’t distinctive. I’ve seen this similar confusion at smaller internet hosting suppliers, SaaS firms, and even some bigger tech corporations. The well being care trade’s regulatory complexity means distributors typically copy BAA templates with out actually understanding them.
The irony? HC makes you pay additional for the “privilege” of signing their BAA. They cost for enhanced help as a prerequisite. Not all cloud suppliers or different expertise platforms cost extra.
Jodi: From a authorized perspective, this case highlights a broader situation in well being tech. As extra non-health care firms enter the area (cloud suppliers, AI firms, SaaS platforms), many are encountering HIPAA necessities for the primary time. Their authorized groups could also be wonderful at tech transactions or normal industrial legislation however unfamiliar with well being care regulatory nuance.
The excellent news is that that is fixable. The BAA template modifications HC made aren’t advanced. They only wanted so as to add language that accommodates each situations: prospects who’re Lined Entities and prospects who’re BAs.
Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Buyer is appearing as a Lined Entity or a Enterprise Affiliate.” That’s it. Drawback solved.
In fact… it is smart to have counsel who understands HIPAA check out the BAA earlier than you signal, as there are a bunch of different points which will impression your small business and use of PHI.
Jacob: Backside line: if you happen to’re in the same state of affairs, cite the particular CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), present them working examples from main cloud suppliers, and be able to stroll away in the event that they received’t repair it.
Jacob Reider MD is CEO of Huddle Well being Options, Chief Well being Officer at WavelyDx, and former Deputy Nationwide Coordinator for Well being IT on the Workplace of the Nationwide Coordinator. Jodi Daniel is a accomplice at Wilson Sonsini Goodrich & Rosati, was the founding director of the Workplace of the Nationwide Coordinator for Well being IT.
