Business Associate Agreement: a SaaS Company Guide

What is a Business Associate Agreement?

Simple: a Business Associate Agreement is the name of a common contract between what’s called a “Covered Entity” (e.g., a hospital network) and a “Business Associate” (e.g., a SaaS company handling data related to health information).  Business Associate Agreements are not terribly long, maybe 4-5 pages, but they are fairly complex and dense.

Who needs a Business Associate Agreement?

“Business Associates” do!  Any company that’s receiving health data (what’s called “Protected Health Information” or “PHI” under the Health Insurance Portability and Accountability Act (“HIPAA”)) and storing it, processing it, and/or transmitting it is required by law to have a Business Associate Agreement in effect between it and the company sending them the PHI (the Covered Entity or upstream Business Associate).

nurse

If I am not covered by HIPAA do I need a Business Associate Agreement?

There is a ton of confusion about who is “covered by” HIPAA.  This is understandable, Business Associates can and often do run businesses that have absolutely nothing to do with healthcare or medicine.  Let’s say you have a SaaS company that offers a simple online messaging platform that allows end users to send messages back and forth.  One day a doctor’s office approaches you wanting to buy a subscription.  They intend to use your SaaS product to exchange messages with their patients.  That doctor’s office should ask you (a) if the product is HIPAA compliant and (b) if you have a Business Associate Agreement they can sign.  Assuming this is the first time your SaaS product has ever been used to transmit or store PHI, you now must either (1) turn away the customer or (2) sign a Business Associate Agreement.  Picking Option 2?  Before you can sign a Business Associate Agreement, you must have policies and procedures in place that ensure your product can be used in a HIPAA-compliant manner.

What if my SaaS product isn’t supposed to have PHI in it?

This is a common scenario.  If a SaaS company is offering products that it does not wish to be used to store or transmit PHI, there are certain steps it should take to protect itself from liability, chief among them is establishing a clear prohibition within the SaaS company’s Terms of Service

What happens if a SaaS company processes PHI without a Business Associate Agreement?

It depends on what the SaaS company has in its Terms of Service, what its marketing materials and practices look like, and whether it is/was aware it was handling PHI.  Assuming the Terms of Service and marketing materials are in good shape (and a few other assumptions I won’t bore the reader with), the liability in this situation for violating HIPAA rests squarely with the Covered Entity that is using the SaaS product to store or transmit PHI.  Covered Entities are the primary custodians of the PHI and they need to be methodical in the way they select vendors to assist them in the store and transmission of PHI.

tablet with doctor and patientHow does a SaaS company get its product(s) HIPAA-compliant?

First it’s worth noting that this isn’t a small project and not something you can slap together because you have an enticing prospective customer ready to buy your service as long as it’s HIPAA-compliant.  The steps typically followed by a SaaS company are: (a) build a business case with a cost-benefit analysis to ensure you aren’t wasting time and effort, (b) bring in a consultant to conduct a HIPAA Risk Analysis – there are tons of them out there, from big companies like KPMG to small boutiques, (c) do all the things your consultant advises you to do, this will typically include designing, documenting, and operationalizing workflows and dataflows and can and often does involve staffing considerations, (d) undergo your risk assessment and receive an opinion letter or attestation, (e) align your SaaS product documentation and marketing to the requirements of HIPAA, (f) ensure you have controls and processes in place for Change Management and to ensure the product’s use can remain HIPAA-compliant going forward, such as conducting internal annual Gap Analyses (more on that below).  Last, it’s important to get a tech lawyer who practices Business Law and understands both the software business and HIPAA to draft and/or review the appropriate contracts, including a Business Associate Agreement.

I am short on time and money, is there a lower-cost consultancy that’s still high quality that you would recommend?

Yes, there are a number of smaller consultancies that have every bit as much brainpower and expertise as the major names and typically offer more affordable pricing.  Specific recommendations would depend on the size and nature of your business.

What kind of encryption does a SaaS product need for PHI?

HIPAA does not categorically require logical encryption for PHI at rest.  This means that, for example, hardware encryption alone might meet the requirements of HIPAA, depending on the specific facts and circumstances.  The HIPAA Security Rule requires encryption of data at rest for almost all intents and purposes (45 C.F.R. § 164.306(d)(3) and 164.312(a)(2)(iv)) but doesn’t say how or what kind. The Breach Notification Rule safe harbor refers to NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.  HIPAA does this a lot – it avoids laying down bright-line rules in favor of what is essentially a “reasonableness standard.”  The elements Covered Entities and Business Associates are supposed to consider when deciding how to comply with the encryption requirement of the HIPAA Security Rule, and many of the other controls in the Security Rule, are (in 45 C.F.R. § 164.306):

“(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.”

nurse with patient and tablet consulting

Can I avoid having to comply by just using a HIPAA-compliant infrastructure provider, like AWS?

No.  Some of the obligations of the HIPAA Security Rule can be fulfilled by a single player in the chain of custody, but not all of them.  For example, if the chain of custody is Covered Entity to Business-Associate SaaS Company to Business-Associate IaaS Company, it’s sufficient for the Business-Associate SaaS Company to encrypt the data and then transmit it to the IaaS Company; the IaaS Company does not then need to encrypt the encrypted data.

Once a SaaS company is compliant, can it tell customers it’s “HIPAA compliant?”

It shouldn’t.  This is a surprisingly common mistake made by many SaaS companies.  Companies are not HIPAA-compliant and neither are SaaS products.  The end goal of a SaaS company seeking compliance with HIPAA is that the SaaS product(s) can be used in a HIPAA-compliant manner.  If a prospective customer asks, “is your SaaS product HIPAA compliant?” what they are really asking is “Is it possible to use your product the way I want to use it and still remain HIPAA compliant?”  This sounds like an exercise in pedanticism but is a very important point for marketing professionals in the SaaS space.  The distinction here is that it’s possible to use almost any tool in a manner that is violative of HIPAA.  I can use Microsoft Paint to draw patients’ social security numbers and then print them out and post them on telephone poles around town, in violation of HIPAA. 

Sadly, the reality is that nobody searches Google for “[SaaS] that can be used in a HIPAA-compliant manner”.  Instead, they are going to search for “HIPAA-compliant [SaaS product]” so if a marketing department wants any shot at that sweet, sweet organic traffic, they will likely have to lead with a title like that, but the balance of the landing page and other materials like product documentation should make it abundantly clear that simply using the SaaS product in question does not, ipso facto, make an end user compliant with HIPAA; how the product is used by the end user matters.

screenshot of a company's marketing materials advertising HIPAA complianceDo SaaS companies have to do anything special when it comes to HIPAA?

Yes.  In a nutshell they need to provide usage instructions to their customers that describe how their SaaS product must and must not be used, in each case to remain compliant with HIPAA.  These instructions typically take the form of articles within the SaaS product documentation that are incorporated by reference from the Terms of Service.

Do SaaS products that are capable of facilitating HIPAA compliance cost more?

Yes, it’s very common for SaaS companies to charge their customers a premium fee for HIPAA compliance or to only offer a HIPAA-compliant instance of the product at a certain minimum subscription tier, like Enterprise.  The additional fees offset the overhead associated with getting and maintaining a product that can be used in compliance with HIPAA.

Where do I get a Business Associate Agreement?

A lawyer can draft a Business Associate Agreement.  For SaaS companies that means a lawyer who understands both the software business as well as HIPAA itself.  For other businesses, domain knowledge might be helpful as well.

Are Business Associate Agreements all the same?

No, there is a surprising amount of diversity when it comes to Business Associate Agreements, not in their purpose but in their quality and in their effectiveness when it comes to risk allocation.  Business Associate Agreements are not commodities and they are not simply a template created by the DHHS, although the DHHS has provided some sample language as guidance.

virtual patient consultation

Should a SaaS company permit Covered Entities to review its policies and procedures around HIPAA?

SaaS companies that are Business Associates should be wary of accepting such a request and Covered Entities should we wary of making such requests.  Although early draft versions of the regulations contemplated due diligence like this, the final regulations only require the Covered Entity to (i) execute a Business Associate Agreement before providing access to PHI to a Business Associate and (ii) take certain steps if the Covered Entity becomes aware that the Business Associate is violating HIPAA.  Covered Entities that nonetheless seek to go above and beyond their obligations risk having the Business Associate’s acts or omissions imputed to themselves in a principal-agent construct.  Covered Entities and upstream Business Associates are probably better-served by adequately verifying that all of their vendors have implemented reasonable and appropriate security measures to protect personal information, including PHI, prior to onboarding them as a vendor.  This would take the form of sufficient due diligence during a vendor onboarding workflow (e.g., a mandatory questionnaire).

Does a Covered Entity typically audit or otherwise take steps to ensure a Business Associate’s ongoing compliance with HIPAA?

No, although some might seek to.  The potential upside to doing so, in theory, is a higher likelihood of preventing HIPAA violations.  Whether that pans out in reality is a different question.  The downside is (i) it’s more time and money and (ii) it opens the Covered Entity up to both enforcement and litigation risk (see above).

What’s a HIPAA Risk Analysis?

A HIPAA “Risk Analysis” is an analysis specifically required by HIPAA (45 C.F.R. § 164.308(a)(1)(ii)(A)) to be performed.  The language of the requirement is to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”  Details on what that entails and how it should be performed have been provided by the DHHS in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule document.

nurse

What’s a HIPAA Risk Assessment?

This is a term that’s thrown around a lot and has different meanings depending on the context.

What’s a HIPAA Gap Analysis?

A Gap Analysis is an analysis specifically required by HIPAA (45 C.F.R. § 164.308(a)(8)) to be performed.  The language of the requirement is: “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.”  If this is confusing to you, you are not alone.  The DHHS has published a document attempting to explain the difference between a Risk Analysis and a Gap Analysis.

How does HIPAA compare to SOC 2 Type II (Security & Availability), ISO 27001 (Cloud Security), ISO 27018 (Cloud Privacy), and FedRAMP?

Getting a SaaS product to be capable of HIPAA-compliant use is generally considered a lighter lift than the balance of these certifications.  For starters, an independent auditor, while extremely helpful, is not required.

Should a SaaS company that’s a Business Associate have policies and procedures that are specific to HIPAA compliance?

The DHHS expects Covered Entities to have HIPAA-specific policies and procedures, but not necessarily Business Associates.  The reality of the situation is that any SaaS company is going to have pre-existing policies and procedures related to privacy and data security and there is likely significant overlap between the internal controls established by those documents and what’s required by HIPAA, so supplementing the pre-existing documents and programs is the easiest way to go.  That said, the supplementation should, at the risk of stating the obvious, specifically mention HIPAA by name and refer to the appropriate sections of the Security Rule throughout.

example of BAA signup dialogue on web page
example of a SaaS company’s BAA click-through agreement dialogue

Can a SaaS company get sued for violating HIPAA?

Not exactly.  HIPAA doesn’t provide what’s called a “private right of action,” which is a fancy way of saying that individuals like you and I can’t sue someone for violating HIPAA itself.  When there’s a HIPAA violation, the violator is fined by the DHHS and might also be sued by private parties affected by the violation, but they don’t sue under HIPAA, as such.  Instead they sue with other claims, like breach of contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and other torts and state-specific laws that provide a private right of action.  You can read about some examples of such lawsuits here.

What do fines for HIPAA violations look like?

The amount of the fines are determined by the HHS based on a number of factors, including the scope and duration of the violation.  Fines range from tens of thousands of dollars to the highest ever of $16 million.

What’s typically in a Business Associate Agreement, content-wise?

45 CFR 164.504(e) lays out a bunch of specific requirements for provisions that must be included in a Business Associate Agreement.  In a nutshell, a Business Associate Agreement will check all of those boxes in addition to defining very specifically what both the Business Associate and the Covered Entity (or upstream or downstream Business Associate) must do (obligations) and can do (rights).  Regardless of how the rights and obligations are divided up amongst the two parties to the contract, the end result is that the Business Associate Agreement, if followed by both parties, should be designed to ensure HIPAA compliance.

How much does a Business Associate Agreement cost?

A Business Associate Agreement needs to work hand-in-glove with a SaaS company’s product documentation so the cost of preparing the Business Associate Agreement will depend, in part, on the number and complexity of the SaaS product(s) for which it is designed, along with the preexisting quality of the product documentation and the availability of essential information about the product itself (e.g., “Can you list all of the potential fields within the product for which you would like to accommodate ePHI input from an end user?”).  Cost can be effectively managed by making product managers or other professionals available to your attorney who are very knowledgeable about the SaaS product itself, both the frontend and backend.

How long does it take to prepare a Business Associate Agreement?

If everything else is already in place (the Risk Assessments, etc.), the creation of a Business Associate Agreement template can be accomplished in a matter of days.

Where can I read more about Business Associate Agreements and HIPAA compliance?

Call Us
OR

Free Initial Consultation