Deadline Approaching: Have You Conducted Your Security Risk Analysis for 2022? Our Team is Here To Help! Click Here to Learn More!

BA Contracts under HIPAA HITECH

Many of you have inquired about the following question regarding business associates over the past weeks, so we thought we would review this again.

Q: A covered entity encounters difficulty when executing updated business associate contracts. Business associates are requesting amendments that exclude language pertaining to some HITECH requirements. Is this a common occurrence?

A: It is not uncommon. Business associates must comply with HITECH requirements that pertain to them regardless of whether the business associate contract includes them. If feasible, consider seeking services elsewhere if a business associate is unwilling to sign a contract that includes HITECH requirements or an indemnification clause.

Inform business associates that they must adhere to HITECH requirements regardless of whether their contract includes this language. Refer to 45 CFR 164.314(a)(1) and 45 CFR 164.502(e)(2).

A covered entity should also include language that allows it to amend a contract if necessary without business associate consent. This type of provision allows contract changes that become effective after a set period of time following business associate notification. Executing an addendum rather than a completely new contract is advisable when an existing contract already includes this language. Business associates may object, but they would be legally bound by the amended contract nonetheless.