HITECH and HIPAA

In the early days of HIPAA, many organizations decided to err on the side of caution and made pretty much everyone sign a BA contract, says Ruelas. But that decision may come back to haunt them with this new compliance date.

Gauge your BAs' readiness. The next item on your checklist is to make sure that your BAs know that they are expected to comply with these regulations. Some organizations, even late in the game, might not even know that they are required to be HIPAA compliant, says Ruelas.

Don't just ask your BAs if they are HIPAA compliant, ask them specific questions to gauge their readiness, such as how they will handle specific scenarios, says Borten. Some BAs also may not understand the full extent of what they are now required to do, says Ruelas. For example, they might know they have new breach notification requirements but are unaware of their other responsibilities, says Ruelas.

Make sure your BA contract language is up to date. Once you've checked up on your BAs, make sure you have legal contracts that include all the language required by the privacy and security rules and HITECH Act.

Put expectations in writing. For example, make sure that the covered entity and BA agree on action parameters when a breach is discovered. Spell out in the contract how long the BA has to report a breach to your organization once it is discovered.

Requiring rapid notification will ensure that you are being notified in a timely manner and also that you can work with the BA to determine the cause and fallout from the breach by the time you are required by federal law to report it, he says.

Hire an attorney who knows HIPAA. If you are hiring, look for an attorney who specializes in HIPAA to review your BA contracts. Borten says she's seen many a competent attorney include contract provisions that were not HIPAA compliant simply because the rule is complex and requires someone with specialized knowledge to interpret and apply it correctly.

Beware of subcontractors. Include language regarding subcontractors. Know to whom your BAs subcontract work and stay informed about these arrangements, says Borten. Consider requiring the organization to notify you if it uses a subcontractor, particularly one that is offshore. Some organizations go so far as to prohibit BAs from subcontracting work offshore, says Borten.

Don't view BAs as adversaries. "Covered entities and BAs have been partners for years; it is not something that has to cause a divide," says Ruelas. If your BAs need help becoming compliant, help them along. Your organization likely spent a lot of time getting up to speed on HIPAA. Save your BAs some of that work by sharing with them what you've already done.

"It really serves no purpose to say to them, ‘Figure it out yourself,'" says Ruelas. Set aside a day and have them come in and talk to your designated privacy officer or security officer.

"You're helping each other out. It is a symbiotic relationship," says Ruelas.

Remember: Compliance is not going away. Some important regulations, such as the breach notification interim final rule, have been set. Regardless of what OCR does for guidance, the compliance date with major HITECH regulations was February 17.

Start to comply now. Don't wait for OCR guidance to make a move. "I don't know quite what the guidance is going to say, but at some point you've got to get off the fence and say you're going forward and taking action," says John R. Christiansen, founder of Christiansen IT Law in Seattle.

Create a form for new contracts between BAs and covered entities. "Develop a form and adapt it going forward," says Christiansen. The lawyer says that as far as existing BA contracts go, it will be "really difficult to track down all of your BA contracts and assemble them." Some of the BAs may not know why you're contacting them. "It can be a daunting process," Christiansen says.

Research how HITECH wording applies to contracts. HITECH says covered entities must incorporate the new provisions into their BA contracts. Does that mean they're automatically a part of the BA contract? Or does each covered entity have to update the contracts to reflect the HITECH changes? Christiansen says he's heard lawyers leaning toward each scenario. He advises clients to amend their own agreements. That way, they can include their own language that works better for their relationship with the BA. "Instead, you've got this law automatically applied," Christiansen says. "That may be fairly hard to work with."

Coordinate security breach notification in your contract. "It's much better to negotiate that before you've got a problem rather than in the heat of the moment," he says. "It's very important to cover that in advance to the greatest extent you can."

Spell out the BA's security obligations. Specify safeguards and require coordination of how they do things. Christiansen says, "If you're accessing the same information, using the same service together, that can get a bit complicated. If you've got different security standards for each, that can get unnecessarily complicated. It's an opportunity to have a dialogue you ought to be having."