The following question comes from an attendee of the July 29 HCPro, Inc. audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law. The speakers on the show were Chris Apgar, CISSP, president, Apgar & Associates in Portland, OR, and John R. Christiansen, JD, of Christiansen IT Law in Seattle.
Q. Who is generally responsible for creating the business associate agreements (BAAs) — the covered entity (CE) or business associate (BA)? If the covered entity is responsible, and they do not create the BAA, should the business associate step in and create a BAA?
CHRISTIANSEN: Under pre-HITECH HIPAA, as it will apply until next February 17, the covered entity is responsible for establishing the BAA.
The regulations place that obligation on the covered entity, and it is the entity which can be penalized if there is not one in place. HHS has not had the jurisdiction to require business associates to establish BAAs, or punish them if they don’t.
However, my recommendation to BAs working with CEs which fail to implement BAAs (I’ve had a few as clients) has always been to get the BAA in place themselves, since a compliance audit of the CE which uncovered the absence of the BAA would undoubtedly disrupt, and maybe wreck, the business relationship between CE and BA.
HITECH has, however, changed this, by extending regulatory jurisdiction to BAs, and requiring them to have BAAs, while still requiring CEs to have BAAs. As of February 17, both CE and BA can be penalized if they don’t have a BAA. So both parties will have that obligation.
Bottom line: Until February 17, if a CE hasn’t implemented a BAA, the BA should step up to protect its business relationship with the CE. After February 17, the BA will be required to step up as a matter of law.
APGAR: I agree with John. I regularly advise my clients who are business associates to have their own business associate contract template “in their back pocket” and offer to execute it if the covered entity does not have one or has not required one at the time a contract for services or products is entered into with a potential business associate.
It is good for the business associate’s image with the covered entity (demonstrating understanding of and concern for privacy and security) and places the business associate in a better light legally.
Also, as John indicated, as of February 2010, business associates will likely also be held responsible for reasonably ensuring a business associate contact is executed timely with the covered entity.