Oct
22
BA contract addendum
By
Does anyone have a sample of an addendum that can be added to our BA agreement that puts us into compliance with the HITECH-HIPAA or do we need to re-write and retain all new BAs to include the requirements for HIPAA?
Joey Filipiak
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
I, too, am very interested in hearing about this.
We have:
1. An amendment that we are currently sending to all of our existing BAs to modify their BAA currently in place.
2. Modified our standard BAAs to include HITECH requirements for any new BA we contract with going forward.
Since BAAs can vary from one covered entity to the next – I am not sure that the amendment we are using would work for you. You should probably talk to your attorney regarding how to proceed.
Good luck.
Hello all:
Let me take a minute for a shameless plug, if you will.
We hosted this audio conference — http://www.hcmarketplace.com/prod-7893/Business-Associates-and-Covered-Entities.html
And we are hosting another one in January on the same topic to include updates and more templates and sample contract language.
Stay tuned for more information on that one.
We have been advised that, not only is a new BA (or addendum covering the new requirements) required, but also that, as a BA, we need to re-address all of our privacy and security policies and procedures to meet new HITECH laws. This is a significant expenditure of both time and money for our organization and is ongoing. Some BAs are simply not going to become compliant and should examine whether or not they want to retain PHI as part of their portfolio of records they retain moving forward. CEs should do a similar examination of their BAs and ask the tough questions.
One thing to remember in preparing your new BAA is the rules will not be finalized until December 2009. The interim guidance discusses the risk accessment to determine harm but the final rule may not permit this determination. Therefore putting in or leaving out a requirement for doing the accessment could end up being wrong. I am working with a North Carolina group to write a new BAA. We are sending an Alert to the business associates warning them of the new requirements and letting them know there is a new BAA coming. Right now they need to review the HITECH Act to prepare.
I agree with Madeline; as a service provider we have been advised by our attorney to wait until the final rules are released before modifying our BA Agreement.
This is excellent dialogue as I am encountering a variety of opinions and comments on the “State of the BAA”.
My suspicion is that most covered entities are taking a wait and see approach, given that their already executed BAAs may be used to effectively argue that they address the new HITECH Act requirements.
Others are basing their decision to wait on the fact that there are many questions still outstanding and a current comment period that is also open which may ultimately impact what the next Guidance contains.
I applaud HCPro for providing this forum for us to share our viewpoints. Hopefully covered entity officials will get some answers in upcoming updates or issued Guidances that may provide some answers.
Frank