HIPAA privacy and security officers would probably be thrilled to receive a letter from the Office for Civil Rights (OCR) with "HITECH guidance" written on the envelope.
But that hasn't happened, and it's anyone's guess when it will.
Experts told HealthLeaders Media they expect OCR, the HHS agency that enforces the HIPAA privacy and security rules, to deliver guidance on business associate (BA) contracts, meaningful use, clarifications on security breach notification, and perhaps security rule compliance for BAs. When that information is delivered, however, is unknown.
The date for compliance with the HITECH, the privacy and security law signed into law earlier this year, is known—February 17, 2010.
And you can certainly work now on your BA contracts and prepare for HITECH compliance.
Here are six tips to help:
Remember: Compliance is not going away. Some important regulations, such as the breach notification interim final rule, have been set. Regardless of what OCR does for guidance, the compliance date with major HITECH regulations is February 17, 2010. "You're still going to have that compliance date," says John R. Christiansen, founder of Christiansen IT Law in Seattle. Christiansen will be one of the speakers on the HCPro, Inc., January 14 audio conference, "Business Associate Action Plan: Comply with HITECH by February Deadline."
Start to comply now. Don't wait for OCR guidance to make a move. "I don't know quite what the guidance is going to say," Christiansen says, "but at some point you've got to get off the fence and say you're going forward and taking action."
Create a form for new contracts. Have a form in place for new contracts between BAs and covered entities. "Develop a form and adapt it going forward," Christiansen says. The lawyer says that as far as existing BA contracts go, it will be "really difficult to track down all of your BA contracts and assemble them." Some of the BAs may not know why you're contacting them. "It can be a daunting process," Christiansen says.
Research how HITECH wording applies to contracts. HITECH says covered entities must incorporate the new provisions into their BA contracts. Does that mean they're automatically a part of the BA contract? Or does each covered entity have to update the contracts to reflect the HITECH changes? Christiansen says he's heard lawyers leaning toward each scenario. He says he advises clients to amend their own agreements. That way, they can include their own language that works better for their relationship with the BA. "Instead, you've got this law automatically applied," Christiansen says. "That may be fairly hard to work with."
Coordinate security breach notification in your contract. "It's much better to negotiate that before you've got a problem rather than in the heat of the moment," Christiansen says. "It's very important to cover that in advance to the greatest extent you can."
Spell out the BA's security obligations. Specify safeguards, and require coordination on how they do things. "If you're accessing the same information using the same service together, that can get a bit complicated," Christiansen says. "If you've got different security standards for each, that can get unnecessarily complicated. It's an opportunity to have a dialogue you ought to be having."