Review agreements

Thursday, October 28, 2010

Q. How do the new HIPAA/HITECH rules change our relationships with business associates that handle patient information on our behalf?

A. Under HIPAA, HME suppliers must have agreements in place with their business associates who perform activities involving the use or disclosure of protected health information (PHI) while providing services on their behalf. HHS recently issued a proposed rule to implement changes to HIPAA and clarify whom it considers subject to the new HITECH law.

HITECH regulates business associates (BAs) directly and requires BAs to comply with many HIPAA standards that covered entities follow, like implementing appropriate training. Organizations such as the National Association for Home Care & Hospice asked HHS to reconsider whether BA agreements are even necessary now that BAs are regulated directly. These organizations believe that simply requiring the parties to define in the main agreement how the BA may use and disclose PHI to perform its responsibilities, together with an acknowledgement by the BA that it will comply with the HIPAA/HITECH rules, is a better way to implement privacy and security protections.

However, the proposed rule still would require BA agreements, not only for BAs but also for any subcontractors to whom a BA provides PHI. HHS would not require BA agreements to be amended until after the final rule is published and a minimum 240-day grace period has passed. An additional year would be allowed for compliant BA agreements as of the date the final rule is published, if it is not renewed or modified during that period.

So given that the regulations are in a state of flux, should you amend your BA agreements and update existing agreements specifically for HITECH? The answer depends upon whether your current BA agreements adequately address current HIPAA/HITECH rules, and whether the new regulations create business issues or new risks. It is not too early to work closely with your partners to confirm whether the party is a BA and review whether PHI needs to be created, transmitted or maintained electronically or at all.  hme

Amy Leopard heads the health care practice group at the law firm of Walter & Haverfield LLP. Reach her at