Health Information Management

Q&A: HITECH requirements for business associate contracts

HIM-HIPAA Insider, February 16, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: Are covered entities and BAs required to revise their BA contracts? Do contracts executed prior to the Health Information Technology for Economic and Clinical Health Act (HITECH) have to meet the new statutory and regulatory compliance deadlines?
 
A: Covered entities and BAs are required to amend existing BA contracts or negotiate new contracts.
 
Pre-HITECH BA contracts do not comply with the interim breach notification rule or the new BA-related statutory requirements. The breach notification requirements for BAs became effective September 23, 2009, and many of the other BA-related requirements become effective February 17.
 
Covered entities and BAs should amend contracts based on requirements in the statute and the interim final breach notification rule. They should not wait for the Office for Civil Rights to publish rules related to BA contract requirements. In the absence of rule, statute governs. Therefore, BAs are already required to notify covered entities within a set period of time if they experience a breach.
 
It is wise to update or amend contracts as soon as feasible to meet the February 17 statutory deadline and the already-effective interim breach notification rule requirements.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the February issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular