How Amazon Reminded Us That Not All Business Associates Agreements (BAAs) Are Created Equal
Ever since Amazon announced that it was changing its policy to sign BAAs for HIPAA-compliant data storage, we’ve been eager and excited. That sentiment soon turned to disappointment, however, when we read their proposed agreement.
The use of remote data storage providers such as Google, Microsoft, and Amazon Web Services is ideal for organizations that must grapple with large amounts of sensitive data on a regular basis, such as research or healthcare organizations. Putting someone else in charge of storing and maintaining these data can allow data producers to focus more energy on their primary objectives.
The large amounts of protected health information (PHI) contained within patient data makes things especially complicated, and the world of healthcare legislation has responded accordingly. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities (CE), which include health care clearinghouses, health plans, and some health care providers, to comply with stipulations to enhance security and privacy and prevent breaches. Some examples of CEs are hospitals, academic research institutions, and billing companies. Generally, organizations providing data storage services to CEs fall into the category of “business associate” (BA), which HIPAA defines as any entity that has access to protected health information (PHI) through physical, virtual, direct, or indirect means.
HIPAA requires CEs to sign Business Associate Agreements (BAA) with BAs that impose the same requirements on the latter. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended liability for many but not all HIPAA requirements to BAs.
Where does this leave data storage providers? It can be argued that data storage providers need not fall under the umbrella of “business associate” if they only receive or maintain encrypted PHI. If these providers do not have the encryption key, then they do not truly “have access” to these data because HIPAA’s Breach Notification Rule considers encrypted data to be secure. In all other cases, even if they only store but never actually view any PHI, data storage providers for CEs would still be considered BAs.
Despite extending responsibilities from CEs to their storage providers, the requirement of HIPAA compliance from BAs may still leave CEs vulnerable to legal persecution for violations. What does a bad BAA look like? Here are a few items to watch out for:
- A clause that puts all of the burden for securing data on the CE.
- No terms outlining how the BA would respond to breaches of unsecured PHI.
- Lack of specification about the BA’s level of access to PHI.
- A non-disclosure clause.
How can you spot a good HIPAA-compliant BAA? Look for these qualifying terms and conditions:
- Description of the BA as an entity that “creates, receives, maintains or transmits” data for a CE, which is the language used in the HITECH Act.
- Requirement for the BA to notify the CE of breaches within a short period of time and follow a procedure for breach notifications.
- Requirement for the BA to acknowledge and comply with HITECH and HIPAA provisions.
- Outline of the BA’s safeguards for PHI.
- Delineation of the BA’s level of access to PHI.
- Permission for the CE to terminate its relationship with the BA if the BA is not HIPAA-compliant.
- Permission for the BA to terminate its relationship with the CE if the CE is not HIPAA-compliant.
- Requirement for the BA to sign similar agreements with its own subcontractors.
The terms of many run-of-the-mill BAAs, even those from leading data providers, may fail to include sufficient provisions under HIPAA and ultimately prove useful for a typical healthcare or research technology project. It’s important to realize that not all BAAs are created equal, and that some may even provide no more protection than if you were to not sign a BAA at all.
Surprisingly, given Amazon’s reputation for putting the customer first, Amazon Web Services’s BAA lacks many desirable BAA terms while containing all of the aforementioned undesirable characteristics. In contrast, Prometheus’s BAAs with CEs carefully detail our responsibilities and each step we take to maintain compliance with HIPAA, including our levels of access to PHI, terms for working with subcontractors with access to PHI, procedures for breach notifications, and more. When working with sensitive information, precision and transparency in BAAs between CEs and BAs are vital to building productive and mutually beneficial relationships of trust. Do you know the terms of your BAAs and whether they are providing adequate protection for your data?