Professional Learning Center

Order Now

Sample BAA Agreement:
    $ 100 Coalition members
    $ 130 non-members

Sample Amendment to BAA Agreement:
    $   55 Coalition members
    $   75 non-members

Templates will be emailed - so  please be sure to specify valid email address.  All templates are in Microsoft Word format.

Download the order form.

For questions contact Teyana Reed at (212) 742-1600 x101 or treed@coalitionny.org

HIPAA Business Associate Agreements

RECOMMENDED CHANGES
in
HIPAA BUSINESS ASSOCIATE AGREEMENTS

Updated June 10, 2013

Created by Lewis Creek Systems, LLC

This information and the template agreements are provided as an educational guide to HIPAA compliance only. Review any changes or replacements of your agreements with your attorney to ensure compliance with state law and consistency with your counsel’s recommended legal  language and provisions.

The Health Information Technology for Economic and Clinical Health Act (HITECH) within the American Recovery and Reinvestment Act of 2009 (ARRA) contains several provisions that require modification of Business Associate Agreements (BAAs) between HIPAA Covered Entities (CEs) and their Business Associates (BAs) who may use or disclose protected health information on their behalf.  These changes are now codified in the HIPAA Omnibus Update published January 25, 2013.

The changes are focused primarily in three areas of concern:

  • Requirements for BAs and their subcontractors to comply with specific sections of the HIPAA Rules
  • New language surrounding breach notification and the securing of data
  • New disclosure-related requirements where Electronic Health Records (EHRs) are concerned.

Two documents are provided for consideration:

  • A set of amendment language to be used with pre-existing business associate agreements.  The language includes that required for both Security and HITECH/Omnibus changes, and for the HITECH/Omnibus changes separately.
  • A complete set of agreement language based on the proposed language put forth by the US Department of Health and Human Services (HHS) under the Privacy Rule, based on the “standard” agreement put forth by HHS on January 25, 2013, available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

The documents include numerous explanations and notes describing additional considerations for sections that may be affected when regulations are issued.