Consultants To The Healthcare Industry
Call Us: (909) 931-7600

Business Associate Agreements – new HIPAA rules mean mandatory updates

Jim Hook, MPH

Business Associate Agreements Have RulesIt seemed a long time off, back in February of 2011, when HIPAA regulations issued after the HITECH Act extended various provisions of the HIPAA Privacy and Security Rules to Business Associates of Covered Entities.  But on Tuesday, March 26, 2013, the day when these requirements must be in writing has finally arrived.  And that means it’s time to get serious about the Business Associate Agreements that your organization has.

Business Associate Agreements have requirements

Just to review, the following points are fundamental requirements for a business associate agreement under the HITECH Act and HIPAA:

  • Business Associates must notify the Covered Entity of a breach of unsecured PHI as described in Section 13402 of HITECH.
  • The Business Associate is now directly subject to certain HIPAA Security and Privacy provisions.
  • There is a reciprocal requirement that a Business Associate must take the same steps a Covered Entity must take, if it knows of a pattern or practice of the other party in material breach of the Business Associate Agreement.
  • Business Associate Agreements must incorporate the definition of “Business Associate” under HITECH.
  • Business Associate Agreements must include a provision that addresses modification of the Agreements in the event of an applicable change in the law.
  • Business Associates must comply with general Security Rule Requirements, including:
  • Ensure the confidentiality, integrity, and availability of all ePHI;
  • Protect against any reasonably anticipated threats or hazards of ePHI;
  • Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule;
  • Ensure your workforce complies with the Security Rule.
  • Business Associates must comply with specific sections of the Security Rule, including:
  • §164.308 Administrative safeguards
  • §164.310 Physical safeguards
  • §164.312 Technical safeguards
  • §164.314 Organizational requirements
  • §164.316 Policies and procedures and documentation requirements.

On top of that, Business Associates must require their Sub-contractors who have access to PHI in the custody of the Business Associate, to comply with all of these provisions – and to have a written agreement to that effect. Talk about an expansion of regulations!

Updated Business Associate Agreements are required … but not yet

Business Associate Agreements - Template
Free Business Associate Agreement Template

The good news, such as it is, is that Covered Entities do not have to start using updated Business Associate Agreements until September 23, 2013.  Existing agreements do not have to updated to the new requirements until September 22, 2014.  Of course, even without updated Business Associate Agreements in place, Covered Entities, Business Associates and Business Associate Sub-contractors are all required to comply with the regulations, including reporting breaches of PHI.  And they are all subject to the criminal and civil penalties that are permitted under HIPAA regulations.

Many Business Associates are now being asked by Covered Entities if they have completed a Business Associate HIPAA Risk Assessment, which is also required under the regulations. This is another area of concern for Business Associates since the organization must be able to demonstrate it is complying with regulations – not just signing a document that it is doing so.

Deadlines arrive quickly, so be proactive

Don’t wind up on the breach “Wall of Shame” affecting 500 or More Individuals. Take action now to update your Business Associate Agreements and to assess your risks under HIPAA.  Penalties and even criminal charges aren’t going away any time soon!

Updated Business Associate Agreements are mandatory in today’s regulatory and legal environment. So it’s time to revisit and revise your form, and to make sure that the Business Associate Agreement template that you’re using meets the required changes described above.

1 Comment to “Business Associate Agreements – new HIPAA rules mean mandatory updates”

  1. I have been using your free Business Associate Agreement for the past couple of years. Do you have an updated version that meets the 9/23/13 requirements? Members of Div 42 (Independent Practice)of APA are trying to find a low cost / free updated template and I will forward your name if you do have one.

    Also, I have been previously contacted by someone from your company regarding a free audit. I would be interested in hearing more about that at this point.

    Thank you

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.

Languages

EnglishChinese (Simplified)GermanFrenchSpanishDutch

Twitter