HIPAA compliant methods for sharing PHI with business associates

HIPAA compliant methods for sharing Protected Health Information (PHI) with business associates include using secure communication channels such as encrypted emails, secure file transfer protocols (SFTP), or dedicated secure messaging platforms. Additionally, both parties must sign a business associate agreement (BAA) outlining the responsibilities and safeguarding measures to protect PHI.

Business associates and the role of business associate agreements (BAAs)

According to the HHS, "A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.". Examples of business associates include billing companies, IT service providers, medical transcription services, and legal services handling healthcare claims. These entities assist healthcare organizations in tasks that require access to PHI, streamlining operations, and ensuring quality healthcare delivery.

Healthcare organizations must have a written BAA with each business associate before sharing any PHI. The BAA outlines the permissible uses and disclosures of PHI and ensures that business associates are held accountable for safeguarding patient data. The BAA also defines the responsibilities of both the healthcare organization and the business associate regarding HIPAA compliance. 

Related: How to know if you're a business associate

HIPAA compliant methods for sharing PHI

1. Encrypted email: Using encrypted email services ensures that PHI remains protected during transmission and can only be accessed by authorized recipients with the appropriate decryption key. Encrypting emails adds an extra layer of security, making it difficult for hackers or unauthorized individuals to intercept and view sensitive information.
2. Secure file transfer protocol (SFTP): SFTP provides a secure method for transferring files with PHI. It encrypts data during transit and requires user authentication for access, ensuring that only authorized users can retrieve the shared information. 
3. Virtual private network (VPN): A VPN establishes a secure and encrypted connection between the healthcare organization and the business associate's network. This method ensures that data transmitted between the parties remains confidential and protected from potential threats or breaches that may occur over unsecured networks.
   
4. Text messaging: HIPAA compliant text messaging platforms offer encrypted and secure communication channels, making them suitable for exchanging sensitive patient data.
5. Secure file-sharing services: Select reputable cloud-based file-sharing services with encryption and access controls. These services allow healthcare organizations to share files containing PHI with business associates securely. 
6. Encrypted physical media: In rare cases where electronic means are not feasible, PHI can be shared via encrypted physical media, such as encrypted USB drives. To maintain data privacy, the media can be sent through certified mail or secure courier services.
7. HIPAA compliant apps: If healthcare organizations use mobile devices for sharing PHI, they must ensure that any apps or communication tools used are specifically designed as HIPAA compliant. Mobile apps should have robust encryption and authentication features to protect PHI on the go.

FAQs 

Can a business associate use a subcontractor to handle PHI?

Yes, but the business associate must ensure the subcontractor signs a BAA and complies with HIPAA regulations.

What are the consequences of not having a BAA in place?

Failure to have a BAA can result in significant fines and penalties from the Office for Civil Rights (OCR) and potential data breaches due to insufficient safeguards.

Is it necessary to train business associates on HIPAA compliance?

While it's not mandatory, it's highly recommended to ensure business associates know their responsibilities and best practices for protecting PHI.