Health Information Management

Q&A: BA contract amendments, HITECH requirements, and indemnification clauses

HIM-HIPAA Insider, May 31, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: A covered entity encounters difficulty when executing updated business associate contracts. Business associates are requesting amendments that exclude language pertaining to some HITECH requirements. The covered entity also has included an indemnification clause that not been popular with its business associates. Is this a common occurrence?

A: It is not uncommon. Business associates must comply with HITECH requirements that pertain to them regardless of whether the business associate contract includes them. Including an indemnification clause is relatively common and considered appropriate, but neither HIPAA nor HITECH requires it. If feasible, consider seeking services elsewhere if a business associate is unwilling to sign a contract that includes HITECH requirements or an indemnification clause.
Inform business associates that they must adhere to HITECH requirements regardless of whether their contract includes this language. Refer to 45 CFR 164.314(a)(1) and 45 CFR 164.502(e)(2).
A covered entity should also include language that allows it to amend a contract if necessary without business associate consent. This type of provision allows contract changes that become effective after a set period of time following business associate notification. Executing an addendum rather than a completely new contract is advisable when an existing contract already includes this language. Business associates may object, but they would be legally bound by the amended contract nonetheless.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the May issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular