Should HIPAA Business Associate Agreements be Modified to Comply with HITECH?

Elizabeth E. Hogue, Esq.

Office: 877-871-4062

Fax: 877-871-9739

E-mail: ElizabethHogue@ElizabethHogue.net

Many providers have asked whether they should modify their business associate agreements to comply with the HITECH Act. There is, in fact, ongoing discussion and debate in the legal community about this issue. It seems fair to say that business associate agreements should be modified to comply with requirements of the HITECH Act regarding notification of breaches, since final regulations have been published implementing these requirements.

On August 19, 2009, the Department of Health and Human Services (HHS) issued an interim final rule entitled “Breach Notification for Unsecured Protected Health Information.” This rule describes how healthcare providers must notify patients when the security of their protected health information has been breached. Providers were required to comply with these new requirements beginning on September 23, 2009. Providers are also required to revise their internal policies to include these requirements.

According to HHS, a breach occurs when protected health information is acquired, accessed, used, or disclosed in a way that poses “significant risk of financial, reputational, or other harm to the individual.” Breaches involve access to a patient’s information by unauthorized persons, except when providers or employees disclose information in good faith to unauthorized persons based upon the belief that such persons are unable to retain this information.

HHS states that breach notification must include:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

2. A description of the types of unsecured [emphasis added] protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

3. Any steps individuals should take to protect themselves from potential harm resulting from the breach;

4. A brief description of what is being done to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and

5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

Implementation of HIPAA has been cumbersome for many providers. It is likely to continue to be problematic in terms of understanding what is required and when it is required.

©Copyright, 2010.

Elizabeth E. Hogue, Esq. All rights reserved.

No portion of these materials may be reproduced by any means without the advance written permission of the author.