New laws on patient security breaches mean your associate contracts probably need updating

A column examining the ins and outs of contract issues

By Steven M. Harrisis a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column. Posted Nov. 16, 2009.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Think your business associate agreements sufficiently protect your rights? Now figure in new laws on security breaches of patient information.

Those agreements you signed to comply with the Health Insurance Portability and Accountability Act probably need to be torn up, rewritten and re-signed. In the case of a health data security breach, soon both parties to the contracts will be required to police each other, tell affected patients and even notify the Dept. of Health and Human Services if necessary.

In February 2010, significant changes regarding business associate agreements are coming from the Health Information Technology for Economic and Clinical Health Act -- the portion of the federal stimulus package that deals with health information technology.

Under HIPAA, physicians are required to have business associate agreements that detail how to handle security breaches. Doctors need contracts with organizations to which they submit electronic patient information -- health plans, health care clearinghouses, billing services, hospitals and even other physicians.

The need for those agreements hasn't changed with the HITECH Act. Agreements still must cover what happens in case of a security breach involving patients' health care information. But the HITECH Act toughens the rules about what has to happen, by whom, and addresses noncompliance.

HIPAA imposed an obligation on so-called covered entities (in this case, physicians) to police compliance from a business associate. If the doctor becomes aware of a pattern, activity or practice of the business associate that constitutes a material breach of the business associate's security obligations under the agreement, the physician is required to take reasonable steps to fix that breach.

If those steps prove unsuccessful, the physician must either terminate the agreement or notify HHS.

Now, under the HITECH Act, policing will become a two-way street -- the business associate also must monitor the physician's compliance.

If either the physician or the business associate becomes aware of a material breach of the other's obligations, the non-breaching party must take reasonable steps to fix the breach. If such steps prove unsuccessful, the non-breaching party is required to terminate the contract (if feasible) or notify HHS.

Most current business associate agreements probably reflect the one-way street, in which the physician polices the business associate. These agreements must be amended to reflect the new two-way relationship.

The parties also might consider adding specific provisions that describe what the non-breaching party will do if a breach occurs, and how to determine if the contract can be terminated. The parties may want to identify how HHS will be notified and who gets copies of the notification if the steps to fix the breach are unsuccessful and contract termination is not feasible.

In general, HIPAA gives patients the right to an accounting of any disclosure of their personal health information. Business associates must make such information available, so the physician can give that report to any interested patient.

Now, under the HITECH Act, that doctor also must describe the security breach and give either an accounting of the breach or a list of all business associates who had access to the patient's personal data.

The physician and the business associate may want to state in their contract which option the physician would exercise. Determining that in advance will help both the physician and the business associate be prepared in the event someone requests an accounting of a security breach.

Don't assume that your current business associate agreement is sufficient. The HITECH Act changes the playing field and imposes more requirements on business associates. It is likely that your contract needs to be amended accordingly.

Steven M. Harris is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn