In response to the release last week of the new HIPAA “mega” regulation, the HHS Office of Civil Rights (OCR) has released a proposed sample of a Business Associates Agreement that includes requirements of the new Regulation.
The sample is not a required form, but provides a broad form for healthcare providers who do not have their own HIPAA compliance team.
Some tips for using the form:
1. It is great that the government is putting out a sample, but NEVER adopt a sample. ALWAYS customize the form to address the specifics of your agreement and expectations for the individual Business Associate or you will be unhappy with the outcome.
2. Get professional advice from an outside law firm, house counsel, or consultant. To save time and money, use experienced internal staff to draft the preliminary agreement, and submit the draft for legal review.
3. You definitely need to add some provisions that are not in the sample. Talk to your lawyer or consultant about “choice of law” provisions, “venue” selection, and “jurisdiction” designation.
4. You may wish to consider adding insurance requirements, proof of insurance, and policy limit requirements.’
5. You definitely want to look carefully at notification requirements, monitoring provisions, and audit rights.
The basic OCR sample form can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html