The HITECH Act requires that certain new provisions be included in HIPAA business associate agreements by February 18, 2010. The problem is that the Department of Health and Human Services ("HHS") has yet to offer clarification regarding the precise provisions that must be included in these new business associate agreements or sample contract language.
On May 29, in a posting on a Health Care Compliance Association listserv, Susan McAndrew, Senior Policy Specialist with the HHS Office for Civil Rights ("OCR"), stated that OCR will be working over the summer on a proposed rule that should be issued later this year. Ms. McAndrew also noted that OCR has not yet updated the model business associate agreement on the OCR website.
So what do you do if you must enter into a business associate agreement today that will have a term that will run through February 18, 2010? You can either take your best shot at addressing HITECH requirements, with the understanding that subsequent modifications may be necessary, or you can amend the agreement in late 2009 or early 2010 when (hopefully) recommended sample provisions and additional guidance will be available. These are questions that HIPAA covered entities and business associates are grappling with right now. One consideration favoring amending business associate agreements early is the fact that the new security breach notification obligations imposed on business associates will become effective by September 18, 2009 (or sooner, depending on when HHS issues final regulations on the subject).