Professional Learning Center

Order Now

Sample BAA Agreement:
    $ 100 Coalition members
    $ 130 non-members

Sample Amendment to BAA Agreement:
    $   55 Coalition members
    $   75 non-members

Templates will be emailed, so  please be sure to specify valid email address.  All templates are in Microsoft Word format.

Download the order form.

For questions contact Karyn Krampitz at (212) 742-1600 x103 or krampitz@coalitionny.org

HIPAA Business Associate Agreements

RECOMMENDED CHANGES
in
HIPAA BUSINESS ASSOCIATE AGREEMENTS
January 26, 2010

Created by Lewis Creek Systems, LLC

This information and the template agreements are provided as an educational guide to HIPAA compliance only. Review any changes or replacements of your agreements with your attorney to ensure compliance with state law and consistency with your counsel’s recommended legal  language and provisions.

The Health Information Technology for Economic and Clinical Health Act (HITECH) within the American Recovery and  Reinvestment Act of 2009 (ARRA) contains several provisions that can require modification of Business Associate  Agreements (BAAs) between HIPAA Covered Entities (CEs) and their Business Associates (BAs) who may use or disclose protected health information on their behalf.

As of this writing, not all of the regulations pertaining to the new requirements in the law have been issued, despite the fact that many of the changes are required by February 17, 2010. While it may be prudent to wait for regulations before making any changes, the deadline for enforcement of the new HIPAA Breach Notification Rule is February 22, 2010, and many BAAs will need to be updated to protect covered entities from the costs of breaches by their business associates, and vice versa. Since the BAAs are being updated, they should also have new language added that would be expected to meet the as-yet-unissued regulations, so as to avoid having to renegotiate another agreement once the regulations are issued.  

Once all the regulations have been published, these templates will be updated and forwarded to anyone who purchases this version.

The changes are focused primarily in three areas of concern:

  1. Requirements for BAs to comply with specific sections of the HIPAA Privacy and Security Rules
  2. New language surrounding breach notification and the securing of data
  3. New disclosure-related requirements where Electronic Health Records (EHRs) are concerned.

Two documents are provided for consideration:

  1. Amendment language to be used with pre-existing business associate agreements. The language meets requirements for both Security and HITECH changes. (3 pages)  
  2. A complete Business Associate Agreement document based on the proposed language put forth by the US Department of Health and Human Services under the Privacy Rule, with the HITECH-related amendments integrated into a "standard" agreement.  (6 pages) ( This sample agreement is based on the “standard” business associate agreement language presented by the US Department of Health and Human Services for Privacy Rule compliance, pre-Security Rule, and pre-HITECH, and has been modified to incorporate the contents of the Sample BAA Amendment, which adds in sections for Security Rule and ARRA/HITECH Act changes.)

The documents include numerous explanations and notes describing additional considerations for sections that may be affected when regulations are issued.

HITECH Raises the Stakes on HIPAA Compliance - February 17, 2009 | Health Law @ Manatt

New Regulations for HIPAA Business Associates Due Soon - December 15, 2009 | Lewis Creek Systems