In the life sciences industry, partnerships with pharmaceutical companies often require signing business associate agreements (BAAs). What are these contracts, and how can your biotech startup prepare for opportunities that involve protected health information (PHI)?
In the world of growing biotechs, IT compliance might be the last thing on your mind, but it is necessary for the health of your business. Particularly when it comes to PHI, you must take measures to ensure the safety of sensitive information. Prevention and preparation is key. In order to pass an audit or confidently sign a new BAA, your business must have the proper documents and technical controls in place to ensure you’re fully compliant.
Even if your company isn’t HIPAA compliant yet, as your business grows, you may be considered a Business Associate, which means you will be held to HIPAA standards for handling PHI. A BAA is a written document that outlines the responsibilities of an outside agency and holds them liable for any breaches or mishandling of data. If you recently signed a BAA or you’re hoping to forge new partnerships in the future, you need to understand and plan for managing and protecting patient data.
Compliance with BAAs involves:
- Protecting data
- Reducing risk
- Reporting any data breaches
- Following security best practices
When you sign a BAA, you’re not just promising that you won’t intentionally leak PHI, you’re also agreeing to actively protect PHI by following IT best practices.
3 Steps to Protect Data
Security needs intensify when introducing PHI. In order to comply with HIPAA regulations, you will need to have written policies and procedures that outline how PHI is handled. You can either create the document yourself or hire us to provide it for you. Once you have those procedures documented, you need to make sure they are actually followed by every team member. To accomplish this, make sure that employees are properly trained on your IT procedures and implement technical controls to avoid human error. As a best practice, you should also document the training by keeping a record of names, dates, and topics of the training. This will help protect you if an employee fails to follow procedures.
Use multiple layers of defense to safeguard sensitive data. Here are three steps:
Step 1: Limit access to sensitive data. Only the people that require access to PHI and other sensitive information to perform their job should be able to access it.
Step 2: Use data loss prevention (DLP) controls. Make sure you have the proper technical controls in place. This doesn’t have to be expensive, but proper configuration is key. This technology watches data that leaves your network and automatically flags and stops any data that you’ve defined as protected, such as social security numbers. That way, even if there are employees who do not follow the procedures, your data is protected no matter what.
Step 3: Add controls within the documents. Your IT provider can set controls such as geolocation limits so that if a document is sent to someone in an unapproved location, access to the document will become inaccessible.
The pandemic has accelerated workplace trends that you’ll need to pay extra attention to if you must comply with a Business Associate Agreement or HIPAA. Before COVID-19 changed workplaces around the world, we were already seeing many startups allowing employees to “bring your own device” (BYOD) to work. Then the pandemic increased remote work, and therefore BYOD, exponentially. Suddenly, people who had desktops in the office are now working from home, often on their own computer. From an operational standpoint, BYOD can be a great solution for business continuity. However, when employees bring their own devices, IT departments have no control without the proper solutions in place.
If you want to make BYOD work, you’ll need to be careful about how you allow devices into your network to access critical information. Check if the device has active antivirus software installed and make sure that the operating system, antivirus, and other critical software is up-to-date. This is why you need a solid BYOD plan, especially for any devices that will access PHI.
Not planning ahead is the number one mistake we see biotech startups make. It is typically more efficient and cost-effective to have a plan well in advance. If you have signed a BAA and you aren’t prepared for an audit, the process will be stressful and the quality will suffer.
For busy business owners, IT can be an afterthought. Companies often come to us to solve problems or to fix things that are broken. However, the importance of ensuring that IT is preventative cannot be understated. We want to identify and resolve problems before they occur. Or, better yet, we can set controls in place so you don’t have to worry about possible data breaches. Whether it’s data security or server maintenance, it's much easier (and cheaper) to deal with things upfront than it is to deal with it in an emergency.
Following our recommendations can help you prepare for an audit so that you can put your best foot forward and highlight the things that you do well. When your IT policies are organized and thorough, it makes audits and compliance easier for you and helps show the auditor that you take data security seriously.
Partnering with a Managed Services Provider For IT Solutions for Your Biotech
When you sign a BAA, you could try to comply with the IT component internally. But a single person or small team won’t have the expertise of an entire company of seasoned IT professionals, so this strategy can put you at higher risk or cost you more money in the long run. Using data security professionals helps make sure your company is doing the right things throughout the process. Signing a BAA doesn’t prevent you from hiring a partner. You can have a chain of BAAs with any vendors to prevent liability. While each BAA is different and is its own independent contract, once you sign one and are HIPPA compliant, it will be easier to comply with additional BAAs in the future.