Skip to content Skip to navigation

Business Associate Agreements and HITECH: When to Amend?

June 7, 2009
by Reece Hirsch
| Reprints

The HITECH Act requires that certain new provisions be included in HIPAA business associate agreements by February 18, 2010. The problem is that the Department of Health and Human Services ("HHS") has yet to offer clarification regarding the precise provisions that must be included in these new business associate agreements or sample contract language.

On May 29, in a posting on a Health Care Compliance Association listserv, Susan McAndrew, Senior Policy Specialist with the HHS Office for Civil Rights ("OCR"), stated that OCR will be working over the summer on a proposed rule that should be issued later this year. Ms. McAndrew also noted that OCR has not yet updated the model business associate agreement on the OCR website.

So what do you do if you must enter into a business associate agreement today that will have a term that will run through February 18, 2010? You can either take your best shot at addressing HITECH requirements, with the understanding that subsequent modifications may be necessary, or you can amend the agreement in late 2009 or early 2010 when (hopefully) recommended sample provisions and additional guidance will be available. These are questions that HIPAA covered entities and business associates are grappling with right now. One consideration favoring amending business associate agreements early is the fact that the new security breach notification obligations imposed on business associates will become effective by September 18, 2009 (or sooner, depending on when HHS issues final regulations on the subject).

Topics

Comments

We are also recommending that entites use this time to assess their compliance with existing HIPAA requirements. Given the lack of scrutiny around HIPAA in recent years, many organizations have become slack in adhering to the policies and procedures already in place. Use the next few months to refocus your efforts. As the new requirements for BAs and protection of PHI come forward, you will be more prepared to address them.

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...