Mid-Atlantic Health Law TOPICS

Background hero atmospheric image for Amending Business Associate Agreements to Comply with Security Rule

Amending Business Associate Agreements to Comply with Security Rule

Health care providers that transmit health information in electronic form, large health plans (those with over $5,000,000 in premiums or claims) and billing clearinghouses were required to comply with the HIPAA Security Rule by April 21, 2005. The compliance date for small health plans is April 21, 2006.
Nevertheless, many covered entities may have forgotten to amend their existing business associate agreements to comply with the Security Rule.
The Security Rule requires covered entities to implement administrative, physical and technical safeguards to protect the integrity, confidentiality and availability of "electronic private health information" (EPHI) that they store and transmit. The definition of EPHI is more limited than the definition of "protected health information" (PHI) in the HIPAA Privacy Rule, which includes paper and oral information.
Like the HIPAA Privacy Rule, the Security Rule requires covered entities to enter into agreements with business associates who create, receive, maintain or transmit EPHI on behalf of the covered entities. Under such agreements, the business associate must agree to:
1. Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's EPHI;
2. Ensure that its agents and subcontractors to whom it provides EPHI do the same; and
3. Report to the covered entity any security incident of which it becomes aware.
A "security incident" is defined broadly to include any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system.
According to the Center for Medicaid and Medicare Services, covered entities may customize the frequency and detail of security incident reporting to the degree of the incident's severity. For example, a covered entity may decide that attempted or successful security incidents that pose a minor threat be reported less frequently than suspicious or repeated security incidents.
The covered entity must also be permitted to terminate the agreement if it determines that the business associate has violated a material term of the agreement.
Existing business associate agreements that were drafted to comply with the HIPAA Privacy Rule must be amended to include these provisions if they involve the protection of EPHI.


December 22, 2005




Rosen, Barry F.


Health Care