Since 2003 HIPAA regulations have required that Business Associate Agreements be in place. However, some of the most far-reaching provisions of the HITECH Act of 2009 have to do with new requirements for Business Associates of Covered Entities. So even if you have these agreements in place, you may very well be needing to revisit, rewrite, and reissue them.
Here’s what you need to know.
Covered Entities who need to comply with the HIPAA Privacy and Security Rules …
- include those who disclose Protected Health Information (PHI) to vendors, medical billing companies, consultants and others with whom they do business (Business Associates),
- must, as of February 17, 2011,
- have a written agreement with their Business Associates,
- extending various HIPAA regulations and compliance requirements to these Business Associates.
Although the Health and Human Services Department (HHS) is supposed to issue a model HIPAA Business Associate Agreement, incorporating these new requirements, it has yet to do so. Nevertheless, Covered Entities are supposed to execute written Agreements with their Business Associates as of February 17, 2011
Business Associate Agreements – HITECH requirements include:
- Business Associates must notify the Covered Entity of a breach of unsecured Personal Health Information (PHI) as described in Section 13402 of HITECH.
- The Business Associate is now directly subject to certain HIPAA Security and Privacy provisions.
- Reciprocal requirement that a Business Associate must take the same steps a Covered Entity must take if it knows of a pattern or practice of the other party in material breach of the Business Associate Agreement.
- Incorporate the definition of “Business Associate” under HITECH.
- Include a provision that addresses modification of the Agreement in the event of an applicable change in the law.
- Require the Business Associate’s Sub-Contractors to comply with the same requirements.
- Comply with general Security Rule Requirements, including:
1. Ensure the confidentiality, integrity, and availability of all ePHI;
2. Protect against any reasonably anticipated threats or hazards of ePHI;
3. Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or
4. required under the Privacy Rule;
5. Ensure your workforce complies with the Security Rule including:
§164.308 Administrative safeguards
§164.310 Physical safeguards
§164.312 Technical safeguards
§164.314 Organizational requirements
§164.316 Policies and procedures and documentation requirements.
And the civil and criminal penalties that apply to Covered Entities can also be applied to Business Associates.
An updated Business Associate Agreement is mandatory in today’s regulatory and legal environment. If you don’t have a template to work with, or if your template isn’t an up-to-date version that addresses the requirements of the HITECH Act, then take a look at the Business Associate Agreement template that we recommend.