The BridgeBlog

Are new business associate agreements needed with the coming HITECH deadline?

This is probably the most common question I get asked these days. There are two camps of thought.

1. Many business associate agreements are written with “evergreen” language that automatically incorporate any future changes to HIPAA regulations. So – you could make an argument that the HITECH changes are incorporated by reference. While technically accurate, I think it’s a risky path to take.
2. Contracts tend to be relied on when things go wrong – such as if there is a breach of PHI. In that situation, both parties will be better served if the agreement lays out specifically what should occur and where responsibilities lay. If it’s gray – you’ll spend precious time arguing over who should do what and who should pay for it. Better to have that debate now -  before the unpredictable happens.

Having an agreement discussion has the positive side effect of forcing organizations to consider the potential risks and liabilities of a breach and taking proactive steps to ensure the risk is minimized in the first place – which is a good thing for everyone.

For specific information concerning the upcoming HIPAA changes, here are a few resources -

• HHS HITECH Act Enforcement Interim Final Rule>>>

• HHS HITECH Breach Notification Interim Final Rule>>>

• CDT Releases HITECH HIPAA Guidance>>>

To report a breach to the HHS, go to: http://transparency.cit.nih.gov/breach/index.cfm.

Learn about our HIPAA training and learning services by going to: www.hipaarx.net.

Please send questions and comments to info@hipaarx.net or call 866.447.2211.