If you are required to comply with HIPAA and need to deal with third-party vendors who require access to protected health information (PHI) or whose products come into contact with PHI, you must ensure that you enter into a business associate agreement with those vendors prior to using their products or services in connection with any PHI. The business associate agreement – or BAA – outlines the business associate’s responsibilities with respect to PHI, the terms of its use, and other essential information with respect to HIPAA and the business relationship with the covered entity. The BAA also informs the business associate that they are bound by HIPAA Rules, must provide access to systems to federal regulators when they investigate compliance, and state that the business associate can be fined directly for violations of HIPAA Rules.
Healthcare organizations are increasingly taking advantage of the cloud and are using web applications for collecting PHI and sharing that information with authorized individuals. Cloud service providers and web application developers are considered business associates, an therefore a BAA is required before their services are used.
When looking for a custom web application to handle medical information, here are a few questions you might want to ask:
Security is always an important factor when web-based applications are built to handle customer information. However, HIPAA guidelines add another level of security that application developers must keep in mind. Keep costs low by building HIPAA compliance into your application from the start. Check to find out if the developer has previously worked with HIPAA covered entities and is aware of HIPAA Rules and the protections that are required under the HIPAA Security Rule to prevent unauthorized access and disclosure of PHI.
By choosing a web hosting company that has previous experience with HIPAA compliant web applications, you are choosing a company that has experience providing an extra level of security required by the provisions in HIPAA. You should only use a web hosting company that is prepared to sign a business associate agreement and abide by HIPAA Rules.
This is often overlooked by those in the market for HIPAA compliant partners. If your business is governed by HIPAA guidelines, the best business practice would be to ensure that your vendors follow the same standards. Responsible vendors will already have HIPAA guidelines in place. These include discernible HIPAA processes backed by a robust policies and security measures. The vendor must provide regular HIPAA training for all employees and have a designated HIPAA Officer to oversee the entire compliance process. Your Security Officer should perform an assessment of a prospective business associate to ensure that company or individual is compliant, even if the company offers a BAA.