Business Associate Agreements Deserve a Second Look - February Deadline Looms

January 14, 2010

When the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed on February 17, 2009, several new requirements were placed upon Covered Entities and Business Associates. Although regulations continue to be published to clarify these requirements, confusion remains. Despite a lack of perfect information, it is in the best interest of Covered Entities (healthcare providers, insurers and employers sponsoring self-funded health plans) and Business Associates (subcontractors and other vendors of Covered Entities) to reassess their HIPAA plans, paying particular attention to potentially outdated and noncompliant Business Associate Agreements.

All Covered Entities and Business Associates should re-evaluate their current Business Associate Agreements, and plan for future Business Associate Agreements, with the following issues in mind:

  1. Check the Basics. Does your Business Associate Agreement form include the required HIPAA language for both the Privacy Rule and the Security Rule? Make sure both rules are addressed and outdated citations are replaced with current ones.
  2. Prepare for New Breach Notification Requirements. The Breach Notification rules went into effect September 23, 2009. While the Department of Health and Human Services (HHS) has stated that it will "not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of [the] rule, or February 22, 2010," HHS expects Covered Entities to comply during this initial time period. Both Covered Entities and Business Associates need to familiarize themselves with the new reporting and documentation requirements, carefully consider how to address breaches in their Business Associate Agreements, and prepare to report breaches to HHS beginning early this year.
  3. Create a Fluid Document. Consider adding references to the HITECH Act and the corresponding regulations in the amendment provisions of your Business Associate Agreements to allow for easy modification as additional regulations go into effect.
  4. Consider the New Role of Business Associates and the February Deadline. Business Associates will be directly responsible for complying with portions of the Privacy Rule, Security Rule, and various HITECH Act regulations by February 18, 2010. The HITECH Act states that "the additional requirements of this title that relate to privacy [and security] and that are made applicable with respect to Covered Entities shall also be applicable to a Business Associate and shall be incorporated into the Business Associate Agreement between the Business Associate and the Covered Entity." Regulations have yet to be published to clarify whether this statement requires existing Business Associate Agreements to be amended to include these new Business Associate responsibilities. In addition, regulations regarding the HITECH Act's requirement to account for disclosures of electronic protected health information, restrictions on marketing and sale of protected health information, fundraising rules, expanded patients' rights, and guidance regarding "minimum necessary" disclosures are forthcoming this year. Though uncertainty remains, the new responsibilities may create additional risks for Business Associates and require a more discerning look at past, present, and future Business Associate Agreements. 

Covered Entities and Business Associates may have diverging interests as they negotiate Business Associate Agreements, so it is important to consult counsel if you have any questions.

For a detailed explanation of the HITECH Act and the Breach Notification Rules, see Frost Brown Todd's April 10, 2009 Legal Update and October 6, 2009 Legal Update. If you have further questions, please contact Tom Anthony, Kristen Holt, Gretchen Tromp, or any of the attorneys in the Health Law Service Team or the Employee Benefits Practice Group.