Be wary of significant risks if your business associates (BAs) violate HIPAA after an agreement is signed. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires you to update and revise your BAAs to ensure they’re in compliance with the HIPAA Omnibus Final Rule by September.
The HITECH Act mandates that you negotiate and implement amendments to all pre-existing BAAs — those entered into prior to Jan. 25, 2013, said attorney Casey Moriarty in a blog posting for the Seattle-based law firm Ogden Murphy Wallace.
But you should “also be mindful of the important terms in BAAs that can lead to increased liability,” Moriarty noted. Specifically, pay attention to these three terms:
Indemnification: Although not required under the HITECH Act, you should push for strong indemnification language that requires the BA to indemnify your organization for its breach of PHI and HIPAA violations, Moriarty said. “Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties.”
Limitation of Liability: Many BAs push for BAA language that limits their liability to certain amounts. But accepting a BA’s “limitation of liability” terms can pose significant risks if the BA violates HIPAA after the BAA is signed, Moriarty warned.
Breach Notification Time Period: The HITECH Act requires BAs to notify CEs of a breach within 60 days of discovery. But to protect your relationships with patients affected by a breach, your proposed BAAs should require the BA to provide notification within 10 days or less, Moriarty recommended. A BA’s “acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.”
Lesson learned: Although you must complete the BAA amendments by the Sept. 23 deadline, you still need to take the time to think critically about the language in your BAAs prior to signing them, Moriarty stressed.