October 16, 2019

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Health Information Technology for Economic and Clinical Health (HITECH) Compliance Deadline Looms - Updating Business Associate Agreements Is a High Priority

The Department of Health and Human Services (HHS) has set a compliance deadline of September 23, 2013, for HIPAA-covered entities to meet essentially all aspects of the new HIPAA rules that were recently updated to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act. Among the many necessary tasks are making changes to policies, privacy notices, training, and a covered entity’s practices such as implementation of individual privacy rights, breach reporting, security measures and business associate contracting. You can read more about these changes, increased enforcement and breach reporting in our past articles on HIPAA under Related Publications to the right. 

One of the highest priority items is updating business associate agreements (BAAs), because the distribution, negotiation and execution process can be time-consuming. Note that BAAs in place prior to January 25, 2013, may be updated either on the next modification or renewal, or prior to September 22, 2014, whichever is earlier. BAAs entered into after January 25 and going forward must be updated by September 23, 2013.

We recognize that the covered entity population needs affordable tools to assist them in their compliance efforts.  For that reason, we have created a BAA template that will help covered entities meet these compliance obligations.  Unlike other BAA templates available, this version includes a number of provisions that are not strictly required by the final rules but which we recommend in order to more strongly protect covered entities in light of the increased risk posed by business associates. For example, unless contracted otherwise, covered entities can be responsible for business associate noncompliance and are left to mitigate, report and pay for business associate-caused security breaches. This BAA template tips the balance back toward the favor of the covered entity in terms of risk, cost and liability protection. It includes features to both address the new HITECH requirements and mitigate the risk of business associate-caused security breaches and noncompliance.

With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.

© 2019 Poyner Spruill LLP. All rights reserved.


About this Author

With change constant, and accelerating, health care organizations encounter ever widening obstacles to their success. They need legal guidance from a law firm that understands the challenges they face and can fashion responses to meet their needs.

At Poyner Spruill, we provide just that.

We work with hospitals and health systems, physicians and other licensed medical professionals, physician and other clinical practices, managed care organizations, provider associations, nursing homes, home health agencies, assisted living facilities, hospice agencies, dialysis centers,...