There are many scenarios in business and healthcare in which PHI is moved and shared. In the 1990s a lot of this happened over fax machines, over the phone and in person. In the modern landscape software and the internet are used to manage all data including protected health information. As you probably already know, these transactions require Business Associate Agreements. The BAA transfers responsibility for the PHI from the covered entity to the associate handling it. This is often an EHR, email provider, pharmacy, printer or some other service provider or individual that is managing and not creating the PHI. By signing a BAA, the company is stating that they have their own HIPAA compliance approach which meets the law’s requirements.
It is still the responsibility of the covered entity to make sure they only sign Business Associate Agreements with business associates who are truly HIPAA compliant. Most covered entities with a reputation to uphold do a business audit of any potential business partners and they look for all of the usual HIPAA requirements including training for all staff that works with PHI, documented policies and procedures for both privacy and security of protected data as well as an overall culture of compliance.
What happens when the Business Associate uses a third party?
Many businesses operate with the help of additional team members that are not considered employees. This could be a lawyer or a developer or a graphic designer. When it comes to PHI, anyone handling it has to be HIPAA compliant on their own, so when a business associate shares PHI, that transfer needs to be outlined with a Business Associate Subcontractor Agreement.
This can become a little complicated in terms of software development relating to programs that will be handling PHI. It’s obviously key that strict standards be upheld for the development environment, but that’s easier said than done.
Whose responsibility is it to make sure the software development environment meets HIPAA requirements?
Ultimately it is the responsibility of any entity who has signed a BAA or created PHI to make sure the data is always being handled properly. When a Business Associate has a subcontractor sign a BASA (Business Associate Subcontractor Agreement), they are indicating they trust PHI will be safe. The covered entity is not reducing the responsibility they have for the PHI they created. Under the Common Agency Provision, a business associate’s breach becomes the covered entity’s breach. In some cases, the business associate or the covered entity will provide HIPAA training and other services like a security assessment to the subcontractor in order to increase the likelihood that their data is protected. However, unless a company employs a person, they aren’t entitled to specify exactly how the job is done (see IRS article on contractors). Ultimately it’s the responsibility of the subcontractors themselves to procure their own HIPAA training and document their own policies and procedures that they can use to prove they develop in a HIPAA compliant way.
Independent contractors are self-employed, so they take on the same responsibilities any company takes on when they hire employees. No matter where in the world they are located, when an individual works with United States PHI, they are required to be HIPAA compliant. If they are self-employed, they need to meet all HIPAA requirements and establish a BAA or a BASA with the covered entity or business associate that their PHI comes from and anywhere they send the PHI to. If the subcontractor is a software developer they need to be able to provide the details of their development environment in answers on a security risk assessment and create policies that ensure any code they source from elsewhere has been thoroughly reviewed according to strict standards before being used to develop software that will handle PHI.
If you want some additional clarity or help in creating your HIPAA compliance approach please book a 15 minute Clarity Call to learn about HIPAA Prime!