Some controversy has erupted regarding the status of business associate agreements, when the business associate refuses to enter into a business associate agreement. The preamble to the HHS July 14, 2010 proposed regulations provides that – if a covered entity and business associate have failed to enter into a business associate agreement, then the business associate may use or disclose protected health information only as necessary to perform its obligations for the covered entity (pursuant to whatever agreement set the general terms for the relationship between the covered entity and business associate) or as required by law, but any other use or disclosure would violate the privacy rule. Some business associates have interpreted this as a default standard of having no BA agreement. It appears that HHS was trying to set forth some protection for covered entities who needed to do business with a BA, but couldn’t get the BA to agree to a BA agreement. (Unfortunately, this situation is becoming more common.) However, I seriously doubt that HHS was attempting to set forth a default “no BA agreement standard,” when the requirement remains that all CEs must obtain a BA agreement with their BAs. In addition, the disclosure allowed in such a situation is so limited, that any other use or disclosures would violate the privacy rule, such as a use of PHI by a BA for data aggregation. Further, monetary penalties for not signing a BA agreement apply equally to both the CE and the BA. Look for clarification of this in the final regulations.