It seemed a long time off, back in February of 2011, when HIPAA regulations issued after the HITECH Act extended various provisions of the HIPAA Privacy and Security Rules to Business Associates of Covered Entities. But on Tuesday, March 26, 2013, the day when these requirements must be in writing has finally arrived. And that means it’s time to get serious about the HIPAA Business Associate Agreement that your organization has.
A HIPAA Business Associate Agreement has requirements
- Business Associates must notify the Covered Entity of a breach of unsecured PHI as described in Section 13402 of HITECH.
- The Business Associate is now directly subject to certain HIPAA Security and Privacy provisions.
- There is a reciprocal requirement that a Business Associate must take the same steps a Covered Entity must take, if it knows of a pattern or practice of the other party in material breach of the Business Associate Agreement.
- A HIPAA Business Associate Agreement must incorporate the definition of “Business Associate” under HITECH.
- A HIPAA Business Associate Agreement must include a provision that addresses modification of the Agreement in the event of an applicable change in the law.
- Business Associates must comply with general Security Rule Requirements, including:
- Ensure the confidentiality, integrity, and availability of all ePHI;
- Protect against any reasonably anticipated threats or hazards of ePHI;
- Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule;
- Ensure your workforce complies with the Security Rule.
- Business Associates must comply with specific sections of the Security Rule, including:
- §164.308 Administrative safeguards
- §164.310 Physical safeguards
- §164.312 Technical safeguards
- §164.314 Organizational requirements
- §164.316 Policies and procedures and documentation requirements.
On top of that, Business Associates must require their Sub-contractors who have access to PHI in the custody of the Business Associate, to comply with all of these provisions – and to have a written agreement to that effect. Talk about an expansion of regulations!
An Updated HIPAA Business Associate Agreement is required … but not yet
The good news, such as it is, is that Covered Entities do not have to start using an updated HIPAA Business Associate Agreement until September 23, 2013. Existing agreements do not have to updated to the new requirements until September 22, 2014. Of course, even without an updated HIPAA Business Associate Agreement in place, Covered Entities, Business Associates and Business Associate Sub-contractors are all required to comply with the regulations, including reporting breaches of PHI. And they are all subject to the criminal and civil penalties that are permitted under HIPAA regulations.
Many Business Associates are now being asked by Covered Entities if they have completed a Business Associate HIPAA Risk Assessment, which is also required under the regulations. This is another area of concern for Business Associates since the organization must be able to demonstrate it is complying with regulations – not just signing a document that it is doing so.
Deadlines arrive quickly, so be proactive
Don’t wind up on the breach “Wall of Shame” affecting 500 or More Individuals. Take action now to update your HIPAA Business Associate Agreements and to assess your risks under HIPAA. Penalties and even criminal charges aren’t going away any time soon!
An updated HIPAA Business Associate Agreement is mandatory in today’s regulatory and legal environment. So it’s time to revisit and revise your form, and to make sure that the HIPAA Business Associate Agreement template that you’re using meets the required changes described above.