HITECH Business Associate Requirements Memorandum of Intent

advertisement
MEMORANDUM OF UNDERSTANDING
COMPLIANCE WITH HITECH BUSINESS ASSOCIATE REQUIREMENTS
This Memorandum of Understanding is entered into between [COVERED
ENTITY NAME] (“Covered Entity”) and [BUSINESS ASSOCIATE NAME] (“Business
Associate”).
A.
Covered Entity is an organization which is and has been required to
comply with the Health Insurance Portability and Accountability Act of 1996 and its
implementing regulations (collectively “HIPAA”). Business Associate is an organization
which provides services to Covered Entity involving the use and/or disclosure of
protected health information (as that term is defined under HIPAA)(“PHI”) on behalf of
Covered Entity. In order to comply with HIPAA the parties have previously entered into
a form of contract in compliance with the requirements of HIPAA (“Business Associate
Agreement”).
B.
The enactment of the Health Information Technology for Clinical and
Economic Health Act (“HITECH”), Subtitle D of the American Recovery and
Reinvestment Act of 2009 has established new requirements for compliance with
HIPAA. In particular, HITECH requires (1) that Covered Entities and Business
Associates provide notification to affected individuals in the case of breaches of
unsecured PHI (“Breach Notification Requirements”); (2) that Business Associates
comply with the HIPAA security regulations (“BA Security Compliance”); and (3) that
additional and/or revised provisions be included in Business Associate Contracts (“BAC
Amendment”).
C.
Compliance with these new provisions will be required as follows:
1.
The Breach Notification Requirements will be effective thirty days
from the publication of implementing regulations, with an effective date of
September 23, 2009.
2.
BA Security Compliance and BAC Amendment will be required as
of February 17, 2010.
D.
The parties intend to provide for their compliance with HITECH in a
reasonable, timely manner.
The parties therefore agree:
1.
Intent to Enter Into Security Breach Notification Addendum.
The parties shall enter into an addendum to their Business Associate Agreement
providing provisions for coordination of Security Breach Notification (“Security
Breach Notification Addendum”) as soon as reasonably practical after the
issuance of the applicable implementing regulations on August 24, 2009. Business
Associate acknowledges that a failure to implement Breach Notification
Requirements by September 23, 2009 will mean the Business Associate is not in
compliance with HITECH after that date, so that timely implementation and/or
update of contract language and notification processes as necessary is of the
essence of Business Associate’s continuing relationship to Covered Entity.
HITECH Business Associate Requirements
Memorandum of Intent
Page 2of 3
2.
Intent for BA Security Compliance. Business Associate shall
develop and implement a plan to come into compliance with the HIPAA security
regulations as soon as reasonably possible upon the execution of this
Memorandum. Upon Covered Entity’s reasonable request, from time to time the
Business Associate shall advise Covered Entity of the planned schedule for
compliance and the status of implementation. Business Associate acknowledges
that a failure to implement HIPAA security regulation compliance by February
17, 2010 will mean the Business Associate is not in compliance with HIPAA after
that date, so that timely completion of BA Security Compliance is of the essence
of Business Associate’s continuing relationship to Covered Entity.
3.
Intent to Amend Business Associate Agreement. The parties
shall negotiate and finalize amendments to their Business Associate Agreement as
soon as reasonably possible following the execution of this Memorandum. Each
party shall provide for a contact person with appropriate authority to manage the
contract amendment process and ensure its timely progress and implementation.
The contract amendment process shall be coordinated as appropriate with
Business Associate’s BA Security Compliance implementation. The parties
acknowledge that a failure to enter into an appropriately amended Business
Associate Agreement by February 17, 2010 will mean the parties are not in
compliance with HIPAA after that date, so that timely completion of BAC
Amendment is of the essence of Business Associate’s continuing relationship to
Covered Entity.
4.
Use of HITRUST Resources. In order to expedite the tasks
contemplated by this Memorandum the parties shall use the tools and security
assessment and reporting processes published and updated from time to time by
the Health Information Trust Alliance (“HITRUST”). In particular, Covered
Entity may require Business Associate to implement security compliance using
the HITRUST Common Security Framework (“CSF”), and to perform and
provide the results of a security assessment under the HITRUST CSF Assurance
Program. We do reserve the right to conduct our own additional assessment if we
learn of information through this program or elsewhere that increases our
concerns about how Business Associate protects our information. The final form
of any Security Breach Notification Addendum and amended Business Associate
Agreement shall be as negotiated by the parties in their sole discretion, provided
that the Business Associate Agreement must be in compliance with HITECH.
5.
Effect of Memorandum. This Memorandum does not amend the
existing Business Associate Agreement between the parties, and will be fully
superseded by the final Security Breach Notification Addendum and amended
Business Associate Agreement between the parties. This Memorandum upon
completion of the tasks contemplated herein, but in no case later than February
17, 2010.
HITECH Business Associate Requirements
Memorandum of Intent
Page 3of 3
[COVERED ENTITY NAME]
[ADDRESS]
[CITY, STATE, ZIP CODE]
[BUSINESS ASSOCIATE NAME]
[ADDRESS]
[CITY, STATE, ZIP CODE]
By:_______________________________
Signature
By:________________________________
Signature
By:_______________________________
Printed Name
By:_______________________________
Printed Name
Title:______________________________
Title:______________________________
Date:______________________________
Date:______________________________
Download