Corporate Compliance

Q&A: Covered entities and BA contracts

Compliance Monitor, February 3, 2010

Q: Are covered entities and business associates (BAs) required to revise their BA contracts to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act?

 A: Covered entities and BAs are required to amend existing BA contracts or negotiate new contracts. Contracts executed prior to the HITECH Act do not comply with the interim breach notification rule or the new BA-related statutory requirements. The breach notification requirements for BAs became effective September 23, 2009, and many of the other BA-related requirements become effective February 17. Covered entities and BAs should amend contracts based on requirements in the statute and the interim final breach notification rule. They should not wait for the Office for civil rights (OCR) to publish rules related to BA contract requirements. In the absence of rule, statute governs. Therefore, BAs are already required to notify covered entities within a set period of time if they experience a breach. It is wise to update or amend contracts as soon as feasible to meet the February 17 statutory deadline and the interim breach notification rule requirements.

Chris Apgar, CISS, answered this question in the February 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular