| Featured Article
| This month's featured article is entitled: Business Associate Contracts: HITECH Act Implications. Business Associate ("BA") contractual requirements, although a part of HIPAA from the onset, were largely ignored by the majority of primary care providers. Why? Because HIPAA was a paper tiger. Many healthcare consultants simply advised small practices to ignore HIPAA altogether, other than the privacy notice itself and, until recently, that was sound business advice (even though it was "technically" bad legal advice).
The HITECH Act changes all of that, for reasons that many in the healthcare industry are only now starting to understand. It is not simply the fact that "big brother" has sent the message that "we are coming after you" but, in addition, patients themselves are becoming quite vocal regarding their privacy rights, especially in an always on electronic universe that we all now inhabit. An environment that the healthcare industry is now finally adopting, although still somewhat reluctantly.
The HITECH Act: 1) makes HHS audits mandatory (despite the fact that the exact methodology has yet to be worked out); 2) provides for stiffer non-compliance fines; 3) allows (eventually) individual patients to participate in the proceeds of fines levied on their behalf; 4) returns proceeds from fines into HHS' coffer; and 5) allows state attorney generals to bring suit on behalf of their citizens. In short, it is time to start paying attention to BA contracts because any HHS audit, or civil legal action, is certain to raise the issue.
This article provides an overview of the basic sections that will need to be part of any HITECH-ized BA contract. Essentially, it describes the key sections of a "model contract." This overview obviously does not provide an exhaustive description of what might be included in such a contract. Particular BA/CE pairs will have specific issues that they will want to address, including but not limited to, how they plan to exchange electronic data to satisfy various HIPAA and HITECH regulations. even outside of the scope of an EHR (e.g. breach notification information and accounting disclosures).
Healthcare providers may have many more BA relationships than what may be apparent. The definition of a business associate is quite broad and may include professional services providers such as attorneys, accountants, technology consultants, and others, depending on whether or not the you share PHI with said partners in order for them to deliver their respective services.
The HITECH Act not only requires that a CE have contracts with all its BAs, it also imposes a reciprocal monitoring of contractual terms on both parties. In short, if either party is in breach of the contract, and said breach cannot be cured then both parties are required to terminate the contract, and if said contract cannot be terminated, to report the breach of contract to the Secretary of HHS.
| HITECH Ready Business Associate Contract & Compliance Roadmaps now available in the HSG Store.
|Business Associate Agreement: a HITECH Ready Model Contract
The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE.
Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.
The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract. It can be used, with minor modifications, out-of-the-box, or as an educational tool to draft a customized version.
The Security Rule Under HITECH:
a Business Associate Perspective
The most important step for building a "good SR compliance story" is for the business associate to get started. The approach recommended herein is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. Getting started in the wrong direction initially could be far more costly in the long run, since much of the compliance budget may simply be wasted. The framework discussed throughout this document provides a good road map to follow.
HIPAA Survival Guide Third Edition
The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.
| Join Our Mailing List
|Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter on the first business day of each month.
Also, if you are interested in "jumpstarting" your compliance efforts then check out the HSG Store. Also, If you need to compare EHR software offerings click here and if you need a HITECH compliant data backup checklist click here.
Finally, interested in reducing costs and delivering more value to your patients then check out Info-Surge's patient engagement portal.
| Dear Carlos,
Welcome to the June 2010 HITECH / HIPAA Compliance Newsletter. The featured article this month is entitled: "Business Associate Contracts: HITECH Act Implications." This article presents an overview of issues that business associates ("BA") and covered entities ("CE") face when entering into a binding contractual agreement (the "Contract") as required by HIPAA and HITECH.
To say that the HITECH Act changes everything in the Contract would be an overstatement, but on the other hand, it is not pure hyperbole either. HITECH changes much of the Contract, if only regarding specific "tweaks" to just about every clause (i.e. assuming readers are familiar with "standard" BA contracts).
However, more important, is the fact that HITECH transforms HIPAA from a paper tiger into a statutory/regulatory scheme with real teeth (some might say fangs), and that makes all the difference in the world. In short, the Contract must now reflect the fact that BAs and CEs must jointly build a good compliance story over time.
Collaboration is an over used term, but one that is an appropriate description of what must occur if the parties are going to achieve their mutually beneficial objective. Therefore, the Contract must reflect that this is not your daddy's healthcare industry any more!
We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.
We are also pleased to announce the availability
of our Breach Notification Framework.
Section 13402 of the HITECH Act
requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework
offers guidance for complying with HITECH's Breach Notification requirements.
Our EHR Library
remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
We continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now
The HIPAA regulations
and the HITECH Act
mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI
on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.
Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store
Want to stay updated throughout the month then follow Debbie on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.
Become a Fan
Follow us on FaceBook by becoming a fan of the guide and support the HSG by purchasing some HSG Wearables. Also, be sure to check out our HITECH Videos.
HSG is now welcoming advertisersto help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again.
| Business Associate Contracts: HITECH Implications
| All business associate contracts will have certain key sections as required by the regulations. This article walks you through each key section from our perspective, highlighting issues that you should consider before entering into a binding agreement. It should be noted that these issues will obviously vary with the individual party using the agreement, and whether or not your organization is a Covered Entity ("CE") or a Business Associate ("BA").
In addition to the sections required by the regulations, most contracts have "boilerplate" sections that are meant to address a number of important legal issues. Although the latter usually do not deal with the substantive aspects of the contract (i.e. the principal rights and duties of the respective parties) these covenants and conditions are nonetheless critically important, addressing issues including, but not limited to, the following: 1) in what jurisdiction/venue a suit may be brought; 2) the duration of the contract and how it is terminated; 3) whether parts of the contract are severable from other parts; 4) whether this is the entire agreement between the parties on this subject matter, or included within another agreement;5) whether substantive parts of the contract survive termination, etc.
The article walks you through what we believe to be the must have sections of a BA contract. These sections are not meant to be exhaustive because particular parties will have specific needs that cannot be anticipated without closely scrutinizing the relationship between the parties. The sections are as follows:
The remaining part of this article will point out issues that should be considered within each section.
- Introduction: identifies the respective parties by their legal names, indicates their principal place of business, and usually the type of business each is engaged in. Here we would identify the BA and the CE.
- Definitions: if there are terms of art that are used throughout the contract then they should be specified in a definitions section so that the parties are absolutely clear as to their meaning. This mitigates, although does absolutely eliminate, ambiguity regarding key terms. In a BA contract there a number of terms that are defined in the statutes and regulations, and contract terms should be defined in terms of same.
- Obligations and Activities of Business Associate: There are a number of contract duties that are required of the BA in order for the CE to meets its obligations under the statutes and regulations. In addition, under the HITECH regulatory scheme there are a number of collaborative activities that are implied, but not prescribed, by the Act. The contract should deal with the implications in an appropriate manner.
- Permitted Uses and Disclosures of Business Associate: This section enumerates the permitted uses and disclosures of PHI that a BA is authorized to perform under the contract and/or under applicable law.
- Obligations and Activities of Covered Entity: The CE has a corresponding set of duties (and rights) under the contract that are enumerated in this section.
- Term and Termination: Most contracts contain term and termination provisions, which state when the agreement begins, and when/how it ends. General principles governing the formation and termination of contracts apply, and may vary somewhat from state to state. In general, a contract becomes enforceable on its effective date. Once a contract becomes effective, it will remain in effect until validly terminated.
- Entire Agreement: The contract will be a playbook, so to speak, for that part of the relationship between the CE and the BA that involves the provisions included in the contract, generally PHI and related subject matter.
- Governing Law Section: Generally, the law of the place where a contract will be performed governs the contract. In this section, you get to choose which state's law will apply to the Agreement. Selecting your home state may give you home court advantage, but the laws of another state may be more favorable to you.
- Miscellaneous: This section covers several separate but important principles regarding the contract, and provides guidance for understanding or interpreting the contract. It also contemplates that the contract may need to be amended at some point to keep up with changing rules and regulations.
- Counterparts: Providing for the contract to be executed in counterparts allows you to enter into the contract without the need for both parties to be in the same room at the same time to sign it. This is particularly useful when the parties reside in different areas, or are unable to coordinate busy schedules.
| About Us
| We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.
We take a partnering and collaborative approach in our legal practice. If you would like to see specific topics covered in this newsletter then please let us know.
The Digital Business Law Group, P.A.