HITECH Act Business Associate Agreement Changes

Interpretation of 'Business Associates'
The recommended changes apply to entities assisting covered entities—business associates. The proposed changes include modification of how a 'business associate' is interpreted. Here, all entities or persons providing data transmission services are also deemed business associates since they have restricted access to protected health information. Similarly, subcontractors who are involved in receiving, maintaining, transmitting or creating PHI on behalf any business associate are also treated as business associates.

Modifications to Business Associate Agreements
The proposed changes increase the liability of business associates in terms of being committed to maintaining the integrity of PHI. Hence, the business associate agreement should clarify that the business associate:
• Will comply to mandates regarding handling of e-PHI (electronic medical record PHI)
• Shares a covered entity’s obligation under the HIPAA Privacy Rule and must comply with HITECH act regulations
• Reports any breach in handling of PHI to the covered entity
• Enters in similar contracts with a subcontractor wherein PHI is involved

Thus, a covered entity need not report breach by a business associate to the Secretary of HHS because a business associate would himself be mandated to report such breaches to the Secretary.