HIPAA Compliance and Business Associate Agreements
For some businesses faxing on a regular basis, security and regulations play a role in determining which provider to use. That’s especially true for medical fields, which must comply with the Health Information Portability and Accountability Act (HIPAA). While several several online fax service providers provide HIPAA-compliant services, only some enter into what’s called a Business Associate Agreement. So what does your business need to know about Business Associate Agreements if you’re looking for a HIPAA-compliant service?
What a HIPAA Business Associate Agreement Does
A Business Associate Agreement (BAA) is a contract between a HIPAA covered entity – any organization or business that handles personal health information – and a business associate, which means any organization or person providing services to the HIPAA entity. The BAA ensures that the business associate (for instance, a fax provider) is accountable for protecting the personal health information it is handling or transmitting.
Once the HITECH Act of 2009 went into effect, and again when it and HIPAA were modified in 2013, business associates became subject to more stringent guidelines. Business associates working with HIPAA-covered entities are now subject to audits by the Office for Civil Rights, which oversees HIPAA. Business associates can be held accountable for data breaches, and penalized for noncompliance.
What That Means When It Comes To Fax Service Providers
Some fax service providers offer HIPAA compliance, but won’t sign a BAA. Many of them maintain their compliance even without the BAA by acting as a simple conduit for information, meaning they are excluded from the definition of a business associate per HIPAA’s language.
RingCentral, for instance, asks HIPAA-regulated customers to sign a HIPAA Conduit setting specifically for transmission of sensitive data. That agreement ensures that RingCentral takes certain steps, including automatically deleting all messages and calls after 30 days, disabling SMS messaging, and disabling attachment of voicemail audio files and fax images to message notification emails. By adhering to those practices, the company is not technically handling patient data, and cannot be held liable for its security.
The conduit agreement RingCentral provides does allow them to claim HIPAA compliance without a BAA in place, although it makes some feel nervous not to have the extra safeguard in place.
“If you use a cloud-based service, it should be your business associate,” David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, said in this Yahoo small business article. “If they refuse to sign, don’t use the service.”
With the new 2013 Omnibus modification to the HIPAA/HITECH Acts, more security and safeguards are required of anyone who transmits or handles patient health information. For some HIPAA-covered entities or businesses, it may be worth a close look at the fax provider’s policies and the updated HIPAA regulations to make sure HIPAA compliance is not in name only.
If you’re a business that handles patient documents, you can use a provider that won’t sign a BAA. However, if you do so, make sure you understand what safeguards are in place to ensure that the fax provider is indeed adhering to HIPAA regulations. For instance, simply saying a service offers “encryption” isn’t enough, since data must be encrypted both in transit and at rest to be HIPAA-compliant. The fax provider must also be able to show that it is not storing personal health information.
If that sounds like too many potential loopholes, then it may be best to seek out a fax provider that does offer to sign a BAA. Below is a list of services that do and do not sign BAAs:
These online fax services will sign a Business Associate Agreement:
These services offer HIPAA compliant technology, but will NOT sign a Business Associate Agreement: