Jump to Navigation

Contact Our Firm

Bold labels are required.

Contact Information

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.


Privacy Policy

Business Associate Agreements and Compliance under HIPAA & HITECH – Not just for breakfast anymore

By Michael R. Lowe, Esq.

The days of being able to take for granted and ignore HIPAA's business associate agreement ("BAA") compliance requirements have long since passed. As of September 23, 2014, all Covered Entities and Business Associates must have updated and compliant BAAs in place in accordance with the requirements of the 2009 HITECH amendments to HIPAA. Far too often, both Covered Entities and Business Associates take this requirement for granted and do not carefully review their business associate relationships and put compliant BAAs in place. And HHS/OCR knows it. If fact, during several recent public presentations, HHS/OCR representatives have indicated that BAAs and compliance with the HITECH amendment requirements will be a major point of focus during the upcoming round of HIPAA audits that will be conducted over the next several months.

Covered Entities and Business Associates were required to have compliant BAAs in place by January 25, 2013. However, the HITECH amendments provided a "grandfathering" provision for BAAs that were already in place as of January 25, 2013 and either renewed automatically or expired after that date. In doing so the HITECH amendments provided an extension for Covered Entities and Business Associates with such BAAs in place to amend their BAAs by no later than September 22, 2014.

Unwary Covered Entities and Business Associates who do not comply with this requirement may get caught in situations that can result in severe penalties and scrutiny by HHS/OCR. Many times during complaint and breach notification/reporting investigations, HHS/OCR will request copies of BAAs if the facts and circumstances involved in the breach or complaint involve a Business Associate. Failure to have the required BAAs in place that are compliant with the HITECH amendment requirements could result in additional scrutiny and penalties being levied against a Covered Entity or Business Associate during an investigation. Simply stated, failure to comply with BAA requirements will invoke more enhanced and draconian penalties against Covered Entities and Business Associates.

In order to prevent these types of issues from arising, Covered Entities and Business Associates should immediately review their list of business associate relationships to determine if they have BAAs in place with each of their Covered Entities and Business Associates. They should also determine if those BAAs have been updated and are compliant with the HITECH amendment requirements. Those requirements include Business Associates being required to comply with the HIPAA Privacy Rule, inclusion of provisions addressing the sale of Protected Health Information ("PHI"), breach notification provisions, requirements for Business Associates to report to Covered Entities the unauthorized use or disclosure of PHI, and not just breaches, the expanded definition of a "Business Associate", and obligations for Business Associates preforming Covered Entity functions under HIPAA such as patient access to electronically stored information, amendments to records, and accountings of disclosures.

While the task of bringing an organization's BAAs into full compliance seems daunting, taken in small steps the process is manageable and will help protect an organization from not only HIPAA violations but also potential data breaches that could result in severe consequences to the organization, its patients and its clients. There are resources available on the HHS website including a template BAA. While this template itself is not necessarily a finished, stand-alone product, and will most likely need further revisions and work in ordered to be tailored to an organization's specific needs and for Florida contract law considerations, it does provide a good starting point. However, Covered Entities and Business Associates alike would be well served to ensure that they retain qualified healthcare legal counsel with experience in both contract law and HIPAA/HITECH and BAA preparation.

Mr. Lowe and our law firm regularly represent physicians and other licensed health care professionals in the defense of medical malpractice cases, review of their medical malpractice professional liability insurance policies and coverages, and personal counsel matters as well as the review of employment contracts. To contact us regarding such matters please visit our website www.lowehealthlaw.com or call our office 407-332-6353. Michael R. Lowe, Esq. is a board-certified health law attorney and shareholder at Michael R. Lowe, P.A., 800-571-5208.

Recent News

1/24/2013 Practice Area Focus: Medical Malpractice Defense and Personal Counsel The Drawn Out Process of the Medical Lawsuit

Click here to join our email list for articles!
Local: 407-332-6353 · Toll Free: 800-571-5208

Privacy Policy | Law Firm Marketing by FindLaw, a Thomson Reuters business.