• E-mail
• Print
• RSS

What should we include in our BA agreements?

HIPAA Weekly Advisor, June 14, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: We are in the process of identifying our facility's business associates. What should we include in our agreements to protect our facility from being held liable for privacy violations caused by business partners?

A: Protect your facility by going beyond HIPAA's business associate requirements. You need to include more in your business associate agreements than just what the privacy rule requires.

The rule itself does not require you to provide business associates with your facility's notice of privacy practices. It also doesn't mandate that you terminate contracts with business associates who are responsible for violations and do not attempt to fix the problem. But it's wise to include both provisions in your agreements. Use the following advice for dealing with business associate agreements:

1. Pay attention to renewal deadlines.
You have to be on top of this so you can discuss HIPAA with business associates well before the deadlines. Also, include clauses in your contracts that prevent automatic renewals.

2. Don't rely on model contracts.
Model language, like that in the proposed privacy rule changes (see the "Appendix to the Preamble-Model Business Associate Contract Provisions" on p. 14809 of the March 27 Federal Register), is only a small help. You can look at it as a general guidance, but you shouldn't think this is a contract you should have. There are a lot of model business associate contracts floating around, but each business associate relationship is different.

If you have a model contract, there is a concern that if you deviate from the model you're somehow out of compliance. You'd probably be ok in terms of meeting the regulations, but you need to protect your facility.

3. Spell everything out.
Do not reference sections of the privacy rule in contracts. The rules will be changed, so reiterate and spell out what the requirement or standard is instead. Then make a general reference that the provisions should be consistent with the privacy rule and if there is a conflict, the regulations would supercede.

4. Use "place-holder" language.
Most covered entities have been trying to put the business associate language into contracts but are still waiting for everything to be finalized. Include a paragraph or provision specific to HIPAA in which the business associate acknowledges the rules and says it will cooperate with complying.

The language should also say the business associate will make amendments to the contract as necessary to comply. The contract won't have all the elements of a HIPAA-compliant business associate arrangement. But it acknowledges that HIPAA is something that will be coming down the pike, and it won't re-open the whole contract-negotiating process.

Editor's note: Adapted from the June 2002 issue of Briefings on HIPAA.

Answered by Thomas E. Jeffry, Jr., Esq., partner at Davis Wright Tremaine LLP, in Los Angeles, and co-chair of the WEDI privacy policy advisory group.

Go to http://www.hipaapro.com/news/hipaa_downloads.cfm to download a PDF file of the proposed privacy rule changes.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive