[ Friday, October 24, 2003 ]
Business Associate Agreements and the effect of the Security Regulations.
I haven't blogged about this in a while, but I have talked about it in seminars and speeches I've given. You have probably already gotten business associate agreements (BAAs) in place with all of your BAs, as you were required to do under the Privacy Regulations (which, of course, are enforceable and have been for 6 months). You might also know that the Security Regulations have requirements for BAAs as well. Pursuant to the Security Regulations, you must contractually obligate your BAs to:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the covered entity's electronic PHI that the BA creates, receives, maintains, or transmits on behalf of the covered entity;
- Ensure that agents and subcontractors to whom the BA provides ePHI agrees to implement reasonable and appropriate safeguards;
- Report to the covered entity any security incident of which it becomes aware;
- Agree to a termination of the contract if the BA has violated a material term of the BAA.
See 45 CFR 164.308(b) and 45 CFR 164.314(a).
Under the BAA requirements of the Privacy Rule (45 CFR 164.504(e)(2)), the 2nd and 4th bullet points are completely covered. The Privacy Rule also says that the BAA should require the BA to "report to the covered entity any use or disclosure of the information not provided for by [the BAA] of which it becomes aware." This is pretty close to the 3rd bullet point. And the Privacy Rule says that the BAA must contain an obligation by the BA to "use appropriate safeguards to prevent use or disclosure of the information othern than as provided for by" the BAA. This is pretty close to the first bullet point, but not as explicit and without reference to "administrative, technical and physical" or "confidentiality, integrity, and availability."
Of course, it would have been nice if the Security Rule BAA requirements had lined up exactly with the Privacy Rule requirements. They are pretty close, though.
You should take a look at your BAAs and see if they are close enough to the Security Rule requirements to make you comfortable. Keep in mind that the Security Rule changes only affect ePHI, not all PHI, so if you have some BAs that only get non-electronic PHI (for example, lawyers who only see paper documents and don't look at your computer or electronic data), their BAAs won't be affected by the Security Rule. Also, look to see if your BAAs have some self-amending provisions that automatically incorporate future changes in the law (make sure any such provision isn't just limited to Privacy Rule changes, though). If not, you might as well start the process of amending them.
Jeff [9:59 AM]
Blogger: HIPAA Blog - Edit your Template