To view this email as a web page, go here.

Hall Render Killian Heath and Lyman : Health Law Is Our Business
THIS IS AN ADVERTISEMENT
Impact Series
      KNOWLEDGE CENTER   ||   CONTACT
 

July 22, 2010

 

New Proposed HITECH Regulations - Impact on Business Associate Agreements

 

On July 14, 2010, the Department of Health and Human Services ("HHS") formally published its proposed regulations implementing changes made to the HIPAA Privacy and Security Rules by the Health Information Technology for Economic and Clinical Health Act ("HITECH").  The proposed regulations also include other changes intended to confirm or clarify the original Privacy and Security Rules.  Because the proposed regulations cover a broad range of topics, we are issuing several more Alerts in our HIPAA Impact Series to provide further analysis of those topics.  The following is a brief overview of the proposed regulations regarding business associate agreements.  Those provisions include: 

  • Covered entities will no longer be required to report to HHS when a pattern or practice of a business associate violates the business associate agreement and termination of the arrangement is not feasible.  According to commentary contained in the proposed regulation, such a requirement is no longer necessary in light of the Breach Notification Rule and the direct liability of business associates under HITECH.
  •  
  • Business associates will be required to take reasonable steps to cure violations of a business associate subcontractor agreement if the business associate becomes aware of a pattern or practice of a subcontractor that violates the agreement.  This provision simply requires business associates to respond to noncompliance by their subcontractors in the same way that covered entities are required to respond to noncompliance by their business associates.
  • Business associate agreements will be required to include provisions providing that business associates will:
  • Comply with the Security Rule with regard to electronic protected health information.
  • Report breaches of unsecured PHI to covered entities in accordance with the Breach Notification Rule.
  • Ensure that their subcontractors agree to the same restrictions and conditions as apply to the business associate.
  • Comply with the Privacy Rule requirements as if it were the covered entity in those instances when the business associate is carrying out the covered entity's obligation under the Privacy Rule.
  • Business associate subcontractor agreements will be required to meet all of the requirements applicable to business associate agreements.

Since the passage of HITECH, there has been much debate surrounding if and when covered entities and business associates would be required to make changes to their business associate agreements.  In recognition of administrative burdens and costs that will be incurred, HHS is proposing a one-year grace period to allow sufficient time to modify business associate agreements.1  Accordingly, if a business associate agreement meets the current requirements of the Privacy Rule as of the date the final rule is published, that agreement will be deemed compliant until the earlier of:  (i) the date the underlying contract is first renewed or modified after the compliance effective date; or (ii) the date that is one year after the compliance effective date.  The automatic renewal of an evergreen contract would not constitute a renewal or modification for this purpose.  

HHS will accept comments regarding the proposed regulations from the public and the industry for a 60-day period ending September 13, 2010.  Sometime thereafter, HHS will issue final regulations.   

The proposed regulations may be accessed at:  http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf.

Hall Render's HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH.  Our HIPAA Impact Series may be accessed at http://www.hallrender.com/?§ion=library&page=hipaa.

If you need additonal information about HIPAA/HITECH, please contact Mark Swearingen (mswearingen@hallrender.com or 317.977.1458) or your regular Hall Render attorney.

1 Covered entities and, as applicable, business associates will have 180 days from the date the final rule is published to comply with most other rules. 

 
 
Indiana Offices
Suite 2000, Box 82064
One American Square
Indianapolis, IN 46282
(317) 633-4884
 Michigan Offices
Columbia Center, Suite 1200
201 West Big Beaver Road
Troy, MI 48084
(248) 740-7505
 Kentucky
614 West Main Street
Suite 4000
Louisville, KY 40202
(502) 568-1890
 

8402 Harcourt Road
Suite 820
Indianapolis, IN 46260
(317) 871-6222
2390 Woodlake Drive
Suite 380
Okemos, MI 48864
(517) 706-0920
 Wisconsin
111 East Kilbourn Avenue
Suite 1300
Milwaukee, WI 53202
(414) 721-0442
 
hallrender.com 
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.  
 
This email was sent to: %%emailaddr%%

This email was sent by: %%Member_Busname%%
%%Member_Addr%% %%Member_City%%, %%Member_State%% %%Member_PostalCode%% %%Member_Country%%


We respect your right to privacy - view our policy

Manage Subscriptions | Update Profile | One-Click Unsubscribe