Signed a Business Associate Agreement?, Get Compliant, Says HHS

Posted July 9, 2010 10:14 AM by Jack Anderson CEO Compliance Helper    

The Notice or Proposed Rule Making or NPRM is pretty heavy reading but if you make it to page 163 you will find some very interesting comments about HHS expectations vis a vis business associates and their business associate agreements.  They basically say that they assume that BAs are compliant with their agreements and have privacy and security programs in place.  They go on further to say "For those business associates that have not already adopted HIPAA-compliant privacy and security standards for PHI, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with privacy and security standards."
If you have signed a BA agreement and are not compliant you have two major problems.  First, you are in breach of contract with your business partner which could shift a greater liability to you and threaten your relationship.  Second you are guilty of "willful neglect" which can bring penalties, fines, and possilbe criminal charges.

The effective dates and comment periods, which might lead you to think that you have lots of time are irrelevent because you have already agreed to be compliant.  If you have neglected to or refused to sign a BA agreement, the covered entity is required to either terminate your contract, notify HHS, or both.

With effective compliance programs starting at $125 there is no cost excuse and with the requirements of your contract in force today there is no excuse for delay.  Get compliant, stay compliant, prove compliance with the Compliance Meter^tm.