You Don’t Have to Sign a BAA With Your Web Analytics Vendor to be HIPAA-compliant

Published: July 13, 2017 Updated: August 7, 2019 Author Karolina Lubowicka Category Analytics, Data Privacy & Security, GDPR, Healthcare

Are you having trouble with convincing your web analytics vendor to sign a business associate agreement (BAA)? Don’t worry. There’s a way to deploy a web analytics tool which complies with HIPAA standards without a BAA in your hand. In this blog post we’ll show you how to make it happen.

Before we proceed to our main topic and make you familiar with the easiest way to overcome problems related to a business associate agreement (BAA), let’s take one step back and discuss the basics. Here you can find the answers to a couple of the most important questions regarding HIPAA-compliant web analytics for your healthcare organization.

What is a BAA?

A BAA is a contract between a HIPAA-covered entity and its business associates. It obliges both sides of the contract to protect personal health information (PHI) in alignment with the guidelines provided by HIPAA.

BAAs require that a healthcare company dealing with HIPAA obtain sufficient assurances from its business associates and that business associate will safeguard the PHI on its behalf.

What’s more, under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act, legislation that was created in 2009 to stimulate the adoption of electronic health records) any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held liable for any data breaches or improper handling of data.

What should be in it?

HIPAA requires that every BAA contain certain elements. As we can read on the HHS website, the contract must:

• Describe the permitted and required uses of protected health information by the business associate
• Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
• Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.

Who is a business associate?

To put it concisely, a “business associate” is any party outside your company that deals with PHI gathered by your organization. As we can read on the HHS website:

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

And further in the text we can find the list of activities performed by a business associate:

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

We can clearly assume, that a lion’s share of the third-party web analytics vendors would fall into the definition of business associate provided by the HHS. Especially those who operate in a cloud environment and have direct contact with data collected by their clients or even use the data to improve their own services (like Google).

Why convincing your healthcare web analytics vendor to sign BAA might be a problem

First, handling data in alignment with HIPAA introduces advanced data privacy demands, which often cannot be met with many standard web analytics solutions. For instance, that could mean storing all the user data on your own servers, encrypting your data, or using SSO methods.

Second, as we said before, signing a BAA introduces high responsibilities for both sides of the contract. As business associates, web analytics vendors are directly liable under HIPAA and can become subject to penalties (both civil and criminal!) in case of unauthorized use and disclosure of PHI.

Web analytics for healthcare with no requirement to sign a BAA

Fortunately, as we announced at the very beginning of this blog post, there’s a way to work around this problem.

How? Instead of convincing your vendor to sign a BAA with you, you can seek a web analytics solution that allows you to store all the PHI collected by your analytical tool on your own servers and not send any data containing PHI to a third party.

Thanks to that, your web analytics software provider won’t have any access to PHI of your patients and because of that won’t be considered your business associate. So there will be no need to sign a BAA. Sounds like something that may fix your problem, right?

What’s more, this resolution might also allow you to implement your own compliance procedures, for instance: take advantage of selected encryption methods demanded by HIPAA or log into the system using SAML, LDAP or other SSO technique.

As a healthcare organization your technical team should already have a wealth of technical experience when it comes to deploying HIPAA-compliant applications, so in many cases you’ll be able to do a much better job in safeguarding your patients’ data than a third party.

Web analytics for healthcare – final thoughts

Healthcare is, without a doubt, an industry with some of the most restrictive regulations on handling patient data. But there’s no need for companies doing business in this sector to deprive themselves of valuable analytics insights.

With the right tool, you’ll be able to fulfil all the obligations imposed on you by HIPAA and at the same time not compromise the quality of the data you collect.

If you’d like to expand your knowledge on this subject, you can also get in touch with Piwik PRO experts. We’ll be happy to provide you with answers to your questions about HIPAA-compliant web analytics.

You can also follow our blog to stay up to date with the latest news about data privacy, security, and other important topics.