Covered entities and business associates have only until September 22, 2014 to update business associate agreements that were in place as of January 25, 2013. For those members of the health industry and their vendors that are still working to update these agreements, here are seven things to remember:
- Noncompliant agreements: If covered entities and business associates still continue to exchange protected health information (PHI) after the deadline without a compliant agreement, they would arguably be using or disclosing PHI in a manner not permitted by the HIPAA Privacy Rule. Therefore, such access, use, or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the four factors listed in 45 C.F.R. §164.402. If the parties are otherwise in compliance with HIPAA, it would seem that being able to demonstrate a low probability of compromise would be achievable, but this analysis should actually be conducted and documented.
- Minimum changes: For business associate agreements that were updated to address the HITECH Act of 2009 and were otherwise compliant, there is probably not much to change. It is important that the agreements require the business associate to comply with the Privacy Rule, to the extent the business associate is going to carry out a covered entity's obligations under the rules. Also, for electronic PHI, the business associate should be required to comply with the entire Security Rule, and not just parts of it.
- Consider addenda: It may not be necessary to try to re-negotiate a brand new agreement. Instead, the parties may be able to execute a short addendum that addresses the new requirements.
- Consider the OCR template: The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, has a number of very useful resources on its website, including sample business associate agreement language. While this language, by itself, would not likely constitute a complete agreement, it provides a good starting point.
- Sale of PHI: Make sure that the agreement does not allow the business associate to engage in activities that would constitute a sale of PHI under the revised provisions in the 2013 omnibus HITECH Act regulations.
- Timeframes for reporting improper uses and disclosures: Business associates should be required to report to the covered entity any use or disclosure not allowed by the business associate agreement - not just breaches. Additionally, a number of states, including Florida, are imposing fairly short timeframes on business associates to report breaches and security incidents.
- State law: State laws may have changed since a covered entity last updated its business associate agreement templates. Both covered entities and business associates should ensure that the uses and disclosures allowed by their agreements conform to current state law.
Business associates and covered entities have their work cut out for them if they have not started updating their business associate agreements. The deadline is fast approaching.