Think your business associate agreements sufficiently protect your rights? Now figure in new laws on security breaches of patient information.

Those agreements you signed to comply with the Health Insurance Portability and Accountability Act probably need to be torn up, rewritten and re-signed. In the case of a health data security breach, soon both parties to the contracts will be required to police each other, tell affected patients and even notify the Dept. of Health and Human Services if necessary.

In February 2010, significant changes regarding business associate agreements are coming from the Health Information Technology for Economic and Clinical Health Act -- the portion of the federal stimulus package that deals with health information technology.

Under HIPAA, physicians are required to have business associate agreements that detail how to handle security breaches. Doctors need contracts with organizations to which they submit electronic patient information -- health plans, health care clearinghouses, billing services, hospitals and even other physicians.

The need for those agreements hasn't changed with the HITECH Act. Agreements still must cover what happens in case of a security breach involving patients' health care information. But the HITECH Act toughens the rules about what has to happen, by whom, and addresses noncompliance.

HIPAA imposed an obligation on so-called covered entities (in this case, physicians) to police compliance from a business associate. If the doctor becomes aware of a pattern, activity or practice of the business associate that constitutes a material breach of the business associate's security obligations under the agreement, the physician is required to take reasonable steps to fix that breach.

If those steps prove unsuccessful, the physician must either terminate the agreement or notify HHS.

Full story