HIPAA Question of the Month:
E-Mail Provider Won't Sign a BAA?
Published on Mon Aug 30, 2004
Question: The company that hosts our e-mail accounts refuses to sign a business associate agreement (BAA). Should we push the issue further? Are we putting our HIPAA compliance at risk by not protecting our e-mails with a BAA? Answer: "Yes, you should push the issue further," says Raj Patel, manager of Plante & Moran's Security Assurance and Consulting Practice in Southfield, Mich. Because e-mail communications are "like sending a postcard," a BAA will force the provider to take extra steps to ensure its privacy and security.
If you're still unsure whether your e-mail provider is a business associate, find out whether "the provider has access to personal health information (PHI). Can they actually go into the e-mails and see the content?" says Beth Rubin, an attorney with Dechert in Philadelphia.
The Bottom Line: You must be thoroughly convinced a provider cannot access PHI before you let it off the hook, Rubin says. Remember that the provider does have "administrative capabilities," which allows it access to e-mail content even if it does not exercise that ability, Patel says.