Introduction to HIPAA and the Necessity of BAAs
The Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a regulatory framework that ensures the privacy, security, and protection of sensitive patient health information (PHI). Parties subject to HIPAA regulations, such as healthcare providers, therapists, and counselors, are required to make sure that any third party that has access to or handles electronic protected health information (ePHI) complies with HIPAA regulations too. This, of course, is easier said than done and has led to the creation of HIPAA Business Associate Agreements.
Business Associate Agreements (BAA)
BAAs are a legal requirement that set clear expectations between healthcare providers and business associates about how ePHI is to be managed:
- BAAs are legally binding contracts that ensure entities subject to HIPAA regulations, such as a dental practice, and their secure email service providers such as MailHippo follow all the necessary HIPAA regulations when dealing with ePHI.
- Essentially, BAAs serve as a legally binding promise on the business associate’s end that they will take all the necessary precautions when handling ePHI, such as encrypting email correspondence between healthcare providers and patients, and will be responsible for failures to adhere to the HIPAA Business Associate Agreement.
- BAAs go into detail in terms of laying out the various responsibilities involved in handling everything ranging from basic encryption security protocols to responses to instances of data breaches.
Why Does MailHippo Require a HIPAA-Compliant Business Associate Agreement?
- MailHippo is considered a business associate when it comes to HIPAA regulations. Due to working with entities that are required to adhere to HIPAA regulations and handling ePHI, MailHippo must be subject to a BAA.
- MailHippo’s BAA pertains to its role in handling sensitive ePHI for its clients, such as patient correspondence, medical records, and history. The HIPAA business associate agreement lays out the rules for handling this ePHI, such as encryption protocols for email correspondence.
- In having a BAA, MailHippo clients can rest easy in the knowledge that MailHippo’s services strictly adhere to HIPAA’s security standards and that they are legally obligated to do so.
Key Components of MailHippo’s BAA
- End-to-End Encryption: MailHippo pledges to use top-of-the-line AES 256-bit end-to-end encryption for all email content and correspondence. This means that only authorized parties, such as a healthcare provider and a patient, can access pertinent ePHI.
- Tracking and Auditing Content: For the sake of transparency and HIPAA compliance, MailHippo provides detailed record-keeping services when it comes to tracking access to content on the platform as part of their HIPAA business associate agreement. For instance, MailHippo records who accesses email correspondence and when.
- Secure Storage: MailHippo’s HIPAA-compliant business associate agreement outlines its responsibility to securely handle and store all ePHI. MailHippo’s data centers are all HIPAA-compliant with robust security measures to prevent unauthorized access.
- Breach Reporting: MailHippo has a legal obligation, as outlined in the BAA, to notify the healthcare provider and assist in managing a response in the unlikely event of a data breach.
With a BAA, Healthcare Providers Can Have Peace of Mind
MailHippo’s BAA ensures that healthcare providers, or other potential MailHippo clients subject to HIPAA regulations, have a HIPAA-compliant partner in handling sensitive ePHI that they can rely on. In having, as part of their HIPAA business associate agreement, top-of-the-line end-to-end encryption protocols, a robust auditing system, and a commitment to transparency, healthcare professionals can focus on their patients and let MailHippo take some of the security-related burden off their shoulders.