HyperionLIVE!

Under HITECH, a Business Associate (BA) agreement is required for covered entities (e.g., your clients) who exchange protected health information (PHI) with their BAs.  As a BA to your clients, your Firm is also required to have BA agreeements with vendors you exchange PHI with, such as offsite records, document production vendors, expert witnesses, etc. 

Per the HIPAA Security Rules: 

“A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).”

The required HIPAA Implementation Standard is as follows:

Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [the Organizational Requirements].

As a law firm handling PHI on behalf of your clients, the client is required to provide BA agreements to your Firm.  However, in my experience doing HITECH risk assessments, less than 10% do, and of those 10%, less that 1% of existing BA agreements have been updated with HITECH verbiage.  So, it is up to your Firm to determine the approach to obtaining these agreements from your clients.  

First, complete a formal risk assessment to determine all areas where PHI is found within your Firm (see older blog post for specifics).  Then, determine the Firm's legal opinion:

• Will you require all relevant clients to sign a BA agreement with you? 
• If clients haven’t reached out to the Firm, will you reach out to them? 
• What if the clients new or existing BA agreement doesn’t include HITECH requirements, will you update it for your client?
• To what extent will you enforce BA agreements with your vendors?
• Will you standardize on one vendor agreement, or make it specific to what your Client is asking of you? 
• How will you get the practice areas to comply for their vendors (expert witness, document production vendors, etc)?

Once you have determined the approach the Firm will take, existing BA agreements should be updated with HITECH verbiage, specifically:  

Since so much of this will have to be implemented at the pracitce level, it is important to work with the Firm's Risk Partner or Managing Partner right from the start to ensure buy in.  Are you having fun yet?  Stay tuned for more fun HITECH topics!