As you are no doubt aware, on February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009, which included the HITECH Act. The HITECH Act modifies several areas of federal privacy law, most notably applying many HIPAA obligations directly to business associates, where such entities previously were only required to comply with the terms of business associate agreements (BAA). Specifically, the HITECH Act applies most of the security standards and a number of the privacy standards directly to business associates, requires business associates to comply with the new security breach notification requirements and subjects business associates to penalties for HIPAA violations. In addition, the HITECH Act also expanded privacy and security obligations for both business associates and covered entities.
We are now approaching February 17, 2010, the date when most of these changes become effective (although some, such as the security breach notification requirements, have already taken effect and others will take effect later). Regulations implementing many of the HITECH Act provisions have yet to be released and the regulatory agency responsible for publishing those regulations has been silent on the timing of such regulations. Accordingly, covered entities and business associates should be active in setting up compliance procedures consistent with the HITECH Act, but be ready to alter these procedures should regulations provide more clarity or additional requirements.
Amendment of Business Associate Agreements
Although the modifications related to BAAs take effect on February 17, 2010, there is yet some uncertainty regarding whether existing BAAs must be amended to reflect the HITECH Act requirements. This uncertainty stems from language in the HITECH Act, which states that changes "shall be incorporated into the BAA…." Some have interpreted this ambiguous language to mean that any changes from the HITECH Act will be automatically incorporated into existing BAAs. Alternatively, the majority of commentators have taken this to mean that the BAAs must be amended as of February 17. We side with the majority of commentators in recommending amendments to existing BAAs, but this is very much an open question. In either case, we recommend that all new BAAs contain provisions meeting the HITECH Act requirements.