Why have a BAA with an email service provider

Without a business associate agreement (BAA), there is no formal agreement outlining the email provider’s responsibility to safeguard PHI, making it challenging for organizations to demonstrate HIPAA compliance. The lack of clarity can expose organizations to penalties from the Department of Health and Human Services (HHS) if a data breach occurs. For example, Advocate Health Care faced a $5.55 million fine after failing to secure a BAA and experiencing multiple breaches. 

The need for BAAs with email service providers 

Email service providers are commonly used to transmit protected health information (PHI). Many popular email service providers are not secure enough to transmit PHI, namely because they do not provide encryption. For this reason, healthcare organizations have to ensure that any provider offers HIPAA compliant services before allowing them access to patient data.

The consequences of neglecting to institute a BAA

• Patients expect their healthcare providers to safeguard their sensitive information, and a breach can erode trust. The New York Presbyterian Hospital and Columbia University Medical Center experienced this firsthand when they were fined $4.8 million after a data leak exposed the PHI of about 6,800 patients due to inadequate safeguards during server deactivation. 
• Legal repercussions are another concern; affected patients may pursue lawsuits against organizations that fail to protect their PHI. For example, Advanced Care Hospitalists in Florida agreed to pay a $500,000 fine after an investigation revealed that they had not executed a BAA with their billing company. The negligence resulted in financial penalties and opened the door for potential legal actions from affected patients.
• Without a BAA in place, email service providers may not prioritize security measures necessary for compliance with HIPAA. The lack of accountability increases vulnerability to data breaches and can lead to consequences for healthcare organizations. The Children’s Medical Center of Dallas was fined $3.2 million for ignoring encryption recommendations that could have prevented multiple breaches involving unencrypted devices.

Strategies to mitigate the risk 

1. Ensure that all third-party vendors who have access to PHI are required to sign a BAA.
2. Regularly assess the security measures implemented by business associates to ensure they are adequate for protecting PHI.
3. Trim the number of business associates who have access to PHI by only allowing those who absolutely need it for their services.
4. Use data security questionnaires to evaluate the risk profile of business associates before entering into agreements.
5. Adopt frameworks like ISO 27001 or NIST Cybersecurity Framework to streamline compliance and risk management processes.
6. Train staff on HIPAA compliance and the need to safeguard PHI, including understanding the implications of not having a BAA.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Who qualifies as a Business Associate?

A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

When is a BAA required?

A BAA is required whenever a business associate will have access to PHI during their work for a covered entity. This includes direct relationships and situations where subcontractors of the business associate will handle PHI. 

What should be included in a BAA?

Key elements that should be included in a BAA are:

1. Permissible uses and disclosures: Clearly define how PHI can be used and shared.
2. Business associate obligations: Outline the responsibilities of the Business Associate regarding safeguarding PHI.
3. Termination provisions: Specify conditions under which the agreement can be terminated.