Do forensic firms need to be HIPAA compliant? 

Forensic firms are mostly responsible for analyzing the systems of organizations extensively, usually following a data breach. Through their work, they frequently encounter patient data, making them business associates. Thus, they must abide by a business associate agreement outlining requirements for HIPAA compliance. 

What is a business associate? 

A business associate under HIPAA is an external entity or individual who performs certain functions or activities on behalf of a covered entity like a provider or insurer. 

A study published in the Public Health Reports provides, “The Omnibus Rule expands the definition of a 'business associate' to include all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity, making clear that companies that store PHI on behalf of health care providers and health plans are business associates.”

One of the main characteristics of a business associate is that they must handle protected health information (PHI) in a way that is governed by a business associate agreement (BAA). The agreement creates the terms and responsibilities of the business associate regarding the handling, protection, and permissible use of PHI to ensure HIPAA compliance.  

Are forensic firms business associates? 

Forensic firms investigate data breaches by analyzing, identifying, and mitigating the impact of the breach, all of which require access to PHI. As the forensic firm is performing a service that could result in access to PHI, they fit the definition set by HIPAA’s Privacy Rule and expanded upon by the Omnibus Rule for business associates. 

For this relationship to be legally compliant with HIPAA, the healthcare organizations must have a BAA in place with the firm. The BAA would outline the firm's responsibility for the protection of PHI, how to ensure HIPAA compliance, and the procedure for the reporting of breaches. Without a BAA, the healthcare organization risks exposing itself to a potential HIPAA violation.  

How to ensure business associates remain HIPAA compliant

1. Before entering into any contractual relationship with a business associate, healthcare organizations should carefully vet the third party by looking at their security protocols and practices. 
2. A BAA should be in place to set clear guidelines for the relationship between them and the firm. 
3. After the BAA is in place, organizations should still receive updates on how the business associate is complying and upholding security standards. 
4. Ensure that the business associate maintains secure communications that comply with HIPAA. Organizations that value security like Paubox’s HIPAA compliant email platform is a good example of strong security practices. As a result, Paubox has never experienced a data breach. 
5. If the business associate uses a subcontractor to perform functions involving PHI the healthcare organization should ensure that these subcontractors are also HIPAA compliant. The BAA should extend to subcontractors.

FAQs

What is HIPAA? 

The Health Insurance Portability and Accountability Act is a law designed to protect the privacy and security of people’s PHI.

What is a covered entity? 

A covered entity is a healthcare organization or business that needs to follow HIPAA’s rules. It includes: 

• Healthcare providers
• Health plans
• Healthcare clearinghouses

What happens if a noncompliant service provider is used by a covered entity?

If a covered entity uses a service provider that does not comply with HIPAA they face serious consequences including the possibility of ransoms and possible penalties.