Seven Tips to Comply with HITECH Requirements

Brace for contract updates. Be prepared to update the contract next month when the government is expected to release new breach notification guidance. Many hope that this guidance will clear up some lingering questions related to how elements of the HITECH Act should be incorporated into BA agreements.

Hire an attorney who knows HIPAA. If you are hiring, look for an attorney who specializes in HIPAA to review your BA contracts. Borten says she's seen many a competent attorney include contract provisions that were not HIPAA compliant simply because the rule is complex and requires someone with specialized knowledge to interpret and apply it correctly.

Beware of subcontractors. Include language regarding subcontractors. Know to whom your BAs subcontract work and stay informed on these arrangements, says Borten. Consider requiring the organization to notify you if they are using a subcontractor, particularly one that is offshore. Some organizations go so far as to prohibit BAs from subcontracting work offshore, says Borten.

Don't view BAs as adversaries. "Covered entities and BAs have been partners for years; it is not something that has to cause a divide," says Ruelas. If your BAs need help becoming compliant, help them along. Your organization likely spent a lot of time getting up to speed on HIPAA. Save your BAs some of that work by sharing with them what you've already done.

"It really serves no purpose to say to them figure it out yourself," says Ruelas. Set aside a day and have them come in and talk to your designated privacy officer or security officer.

"You're helping each other out. It is a symbiotic relationship," says Ruelas.