Do Note Breach Business Associate Agreements:Ford & Harrison LLP, Daniel Sulton

Posted August 11, 2010 08:39 AM by Jack Anderson CEO Compliance Helper    

I read this post with interest this morning.  It seems that every day we get another law firm interpreting the NPRM here is an excerpt from the Ford & Harrison LLP opinion by Daniel Sulton

"The proposed rule modifies the requirements for a business associate agreement. A covered entity would not be required to report any breach or violation of the business associate agreement to HHS even if termination of the business associate agreement is not feasible. Also the parties to a business associate agreement must include provisions in the agreement requiring the business associate to take reasonable steps to cure any material breach or violation of the business associate agreement between the business associate and a subcontractor, or terminate the contract. The business associate agreement must also contain provisions requiring a business associate to comply with the Security Rule, report breaches of unsecured PHI to the covered entity, and ensure any subcontractors comply with the same rules applicable to business associates."

In the NPRM HHS states: Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.