HIPAA Security Rules/Amendment to Business Associate Agreements

[Guest gaham]

I am aware that the security requirements for electronic PHI must apply by April 20, 2005 (for small plans, April 20, 2006). Some are suggesting that Business Associate agreements must be amended to include language regarding electronic PHI by those dates. This seems to me to be overkill and unnecessary, since electronic PHI is a subset of PHI; that is, if it is electronic PHI it is PHI, so the original language in the Business Associate agreement should suffice. Am I missing something here? Thanks for any input.

[Steve72]

I think an amendment is necessary.

The rules surrounding the protection of e-PHI significantly differ from and expand on the "appropriate administrative, technical and physical safeguards" requirement in the Privacy Rule.

The Security Rule contains a specific requirement that BAAs describe the BA's security responsibilities (although HHS has indicated it will not release model language). Relying on the privacy language would be insufficient to meet the Security requirements, in my opinion.

[GBurns]

I agree with Steve72.

I looked back at a few of the BAs that I have signed and all of them have e-PHI language. Since these were all signed quite some time in early 2004, I now wonder why anyone would have left it out. It raises questions about proper drafting and whether anything else might be missing or not addressed.