The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 to promote the adoption and meaningful use of electronic health records (EHRs) and other technology in healthcare. Along with its many provisions, HITECH established new requirements for business associate agreements (BAAs) that healthcare providers must follow when sharing electronic protected health information (ePHI) with third-party vendors.
HITECH defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Covered entities are healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
BAAs are contracts that establish the terms and conditions for how business associates handle ePHI. Under HITECH, BAAs must include certain provisions to ensure that the business associate protects the confidentiality, integrity, and availability of ePHI in their possession.
Some of the key requirements for BAAs under HITECH include:
1. HIPAA compliance: Business associates must comply with the same HIPAA Privacy and Security Rules that covered entities follow. BAAs must spell out the specific HIPAA requirements that the business associate must comply with.
2. Use and disclosure: BAAs must specify the purposes for which the business associate is permitted to use and disclose ePHI, as well as any restrictions on such use and disclosure.
3. Safeguards: Business associates must implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. BAAs must specify the safeguards that the business associate is required to implement.
4. Reporting breaches: Business associates must report any breaches of ePHI to the covered entity as soon as possible, within no more than 60 days of discovery. BAAs must specify the process for reporting such breaches.
5. Termination: BAAs must specify the conditions under which the covered entity may terminate the agreement, including the right to terminate for breach.
6. Subcontractors: Business associates must obtain written assurance from any subcontractors that they will comply with the same privacy and security requirements that the business associate has agreed to. BAAs must specify the business associate’s obligations with respect to its subcontractors.
7. Access and amendment: Business associates must make ePHI available to the covered entity for access and amendment purposes. BAAs must specify the process for providing such access and amendment.
It is important for healthcare providers to ensure that their BAAs comply with HITECH requirements, as failure to do so can result in significant fines and reputational damage. Business associates should also be aware of their obligations under BAAs and take steps to implement appropriate safeguards to protect ePHI.
In conclusion, HITECH’s requirements for business associate agreements are an important aspect of healthcare privacy and security. By following these requirements, healthcare providers and business associates can help ensure the confidentiality, integrity, and availability of ePHI and protect patient privacy.