How Do You Know When You Need a Business Associate Agreement?

If you’ve ever visited a healthcare system’s website, you were probably tracked by a number of web trackers.

Web trackers that monitor your user journey so the marketers at that healthcare system can understand what you did on their website. Web trackers that watch for conversions and trigger ads if you don’t schedule an appointment. Web trackers that collect information about an appointment you might’ve scheduled. Web trackers that trigger the automated emails. The list goes on and on.

Each one of those web trackers collects PHI about you. If the healthcare system doesn’t have a Business Associate Agreement with each one of the vendors that built each web tracker, the healthcare system could be violating HIPAA.

A Business Associate Agreement, or a BAA, is a document that states how a third party (aka business associate) will handle Protected Health Information (PHI) on behalf of a covered entity. In simple terms, this means the business associate will handle PHI with the same high standards as covered entities. BAAs also make business associates liable for improperly managing PHI. 

If your company is a covered entity, and you’re sharing PHI with any other company or contractor, you need to have a BAA in place with them. But there are certain types of companies that won’t sign a BAA. They don’t want to assume the liability of improperly managing PHI. What makes this difficult is those companies that won’t sign BAAs have built tools that are commonly used by marketers in all industries. 

A word about PHI

PHI is at the center of a BAA. PHI, as we’ve mentioned before, is made up of two data points: personal identifiers and health information. 

An email address is a personal identifier because it's tied to one person. If you combine that email address with health information information about that person, then you have PHI.

If you’re a covered entity and I visit your healthcare website and fill out a form for more information that includes my email address, mark@freshpaint.io, along with the fact that I’m looking for information about knee replacement surgery, you’ve got PHI about me. 

The information I submitted on the form is almost always handled by a third-party tool. It could be something as simple as Google Sheets, but more likely, it’s Salesforce or any number of other tools. The specific tool doesn’t really matter for this example. What matters is the question, “Do you have a BAA with the vendor of that tool?” If you don’t have a BAA with the tool handling my information, you just violated HIPAA. 

What tools do you need a BAA for?

The thing to keep in mind is that not all vendors that build web trackers will sign a BAA. And some will only sign a BAA if you spend enough money with them. 

As we wrote in the Privacy-First Framework, all the tools that your company uses to run digital ads, analytics, and more fall into two categories:

1. Martech tools you have to use a BAA with
2. Martech tools you can’t get a BAA with

Let’s take a look at the tools that most commonly fall into each bucket.

Category 1: Martech tools you have to use a BAA with

These are the non-negotiables. If you use the tools in this category, you have to get a BAA. 

Tools that most often fall into this category:

• CRMs – CRMs are often your source of truth about customers and website visitors. As such, you can’t have a source of truth without an identifier and some amount of health information about those customers. That combination often results in PHI. 
• Analytics tools – Analytics tools are right in the crosshairs of HHS regarding HIPAA violations. These tools, by default, collect PHI. If you’re using them, you have to have a BAA in place‍
• Email marketing tools – If you want to do great email marketing, you need personal identifiers and a way to segment your audiences. Most often, you’ll want to segment by some sort of health indicator.‍
• Personalization tools – Same as above. Personalization tools are really cool, but they require PHI to function properly. If you’re using one of these, get yourself a BAA.‍
• Form builder tools – Form builders are often misunderstood. They seem safe because the user is taking action to send PHI to you, right? Well, that’s not quite how HIPAA works. The user is sending information to you, not your form builder, even though the form builder is the tool that collects the information. The user has not opted in to sharing PHI with the form builder. So, HIPAA violation if you don’t have a BAA.‍
• Identity resolution tools – These tools stitch together user journeys. They need both pieces of PHI to operate. Using one of these without a BAA, is just asking HHS/FTC for a fine.
• ‍SMS tools – these are exactly the same as email marketing tools in terms of how they operate. So, your risk level is essentially the same. 

There is one workaround for a few of the tools on that list. For analytics tools, you can use a Healthcare Privacy Platform to irreversibly de-identify personal identifiers before sharing them with the analytics tools. That prevents PHI from being passed to those tools. 

For messaging tools, like email marketing and SMS tools, you can build an audience in a Healthcare Privacy Platform and send only the personal identifiers to your messaging tool. That will still allow for segmentation and personalized messaging. 

But if you’re not using a Healthcare Privacy Platform, you have to have a BAA in place with all of the above tools. Even if you are using a Healthcare Privacy Platform, it’s still worth your time to get a BAA with CRMs, form builders, and other tools that need both parts of PHI to function.

Category 2: Martech tools you can’t get a BAA with

This second bucket is the tough bucket. There are a number of widely used tools that you can’t get a BAA with, BUT those tools can still function without PHI. 

Tools in this category are:

• Google Analytics – Nearly all marketers, and many healthcare marketers, use Google Analytics to understand website performance and user behavior. Google will not sign a BAA for its analytics platform. If you look at their support docs, they explicitly state GA does not protect you from HIPAA violations. In fact, they go so far as to tell you not to use GA if you’re a covered entity, “Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered. 
• Google Ads, LinkedIn, and Meta Pixel – With all ad platforms, it’s not the platform that’s the problem; it’s the tracking technology. In this case, that’s the Google Ads, LinkedIn Ads, and Meta Ads pixels. All of those pixels function in nearly the same way. They collect information about the specific actions that specific users take on your website. That almost always means it collects PHI. None of these platforms will sign a BAA because BAAs mean limitations to how and what data they can collect. None of them want to signal to the market that they’re willing to limit their data collection because that opens to door to further regulation.
• Embedded video – If you embed video on your website through YouTube or Vimeo, you need a BAA, but you can’t always get one. Embedded video automatically includes analytics trackers which collect PHI. YouTube won’t sign a BAA. Vimeo will on their Enterprise Tier, but we've heard it can be a difficult process. 
• Mapping tools – Google Maps and other mapping tools embedded on your website are a risk to HIPAA compliance because they collect location information and other components of PHI. Google Maps won’t sign a BAA so you need to find a workaround if this is on your website.
• Captcha – Captcha is the same as pretty much every other tool on this list. It collects more information than it needs to function. Why does it do that? For analytics. And for reCaptcha and a lot of other captcha tools, you can’t get a BAA.

A lot of these tools are essential for high performance marketing that helps to improve your organization’s bottom line. But since you can’t get a BAA with them, you need to find another path forward.

What do you do about the tools you can’t get a BAA for?

All of the tools in Category 2 are still important for marketing. You can’t just shut them off. And in the case of ads, you can’t find alternatives. With this list of tools, you really only have one option to stay HIPAA compliant:

Use a Healthcare Privacy Platform that can govern the flow of data to these tools. Healthcare Privacy Platforms prevent PHI from sneaking through to unauthorized third-party tools. They also de-identify personal identifiers that are needed to help those tools function.

When evaluating tools to help with your PHI governance, make sure you find a tool that uses cryptographic hashing instead of encryption. Encryption is reversible and, as a result, does not ensure HIPAA compliance. Cryptographic hashing, on the other hand, is irreversible, which makes it much safer for HIPAA compliance.

Data Privacy Controls are Crucial for HIPAA Compliance

Think of a BAA as a data privacy control. It helps to ensure that the company you’re sharing PHI with will manage that PHI in a safe, secure way. 

If you can get a BAA with a martech tool you’re using, do it. If you can’t get a BAA, there are often workarounds that still protect your PHI. 

The worst thing you can do is nothing. If you don’t have a BAA with a third-party tool, and you’re not governing the flow of PHI to that tool, you’re going to land in hot water with HHS, FTC, or find yourself facing a serious class action lawsuit.

Keep learning: 8 Common Web Trackers That Could Jeopardize Your Healthcare Website’s HIPAA Compliance