Business Associate Agreements: The HITECH provisions of HIPAA contain some big changes for business associates, as well as some changes to business associate agreements. But the specifics aren't that well defined. What should you do? Should you amend your existing BAAs? Should you adopt a new form of BAA for new relationships, but keep the existing form to see what happens?
Well, according to Susan McAndrew, OCR's deputy director for health information privacy, HHS is drafting rules that specify what need to go into your BAAs. My advice so far has been to wait; maybe you should adopt some new, relatively generic references to the new HITECH provisions and put them into your standard form BAA, but don't worry about amending your existing BAAs. I'm sticking with that advice.