Pharmacy News: HITECH Requirements for Business Associate Agreements

Wow! We are covering a lot of topics in this HIPAA Readiness Series! If you haven’t had a chance and want to, visit the PRS website to catch up on the topics we have gone over so far. This next topic is an important one.

Let’s Share! Business-Associate-Agr(Business Associate Agreements)

We’ve all been taught that sharing is good. In 21st century healthcare, sharing data is essential. But, it’s also a bit worrisome. Criminals can do a lot of harm with stolen patient health information (PHI), so the laws protecting PHI disclosed by Health Care Providers were strengthened through the Health Information Technology for Economic and Clinical Health (HITECH) in 2009. Further strengthening occurred to all aspects of the HIPAA Rules and Regulations in January of 2013 with the release of Omnibus HIPAA Rulemaking.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriquez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Covered entities and their business associates—anyone to whom they legally disclose PHI— must sign agreements obligating them to follow the HIPAA Privacy and Security Rules. You should already have these Business Associate Agreements (BAAs), but are they up to date? As of September 23, 2014, OCR is now enforcing these additional requirements:
1. Your business associates must now have a written plan that complies with the HIPAA Security Rule with the same level of specificity required of any covered entity. They must document how they will protect hard copy and/or electronic PHI.
2. BAAs must include the restrictions on use and disclosure of PHI listed in Section 164.504(e) of the HIPAA Privacy Rule.
3. Your BAA should include an acknowledgement that your business associate may be audited by OCR.
4. Your business associates are required to notify you, the covered entity, of any breach or unsecured PHI. You need to follow the notification rules even if it was your business associate that experienced the breach.

Make sure your business associates know that they are subject to civil and criminal penalties for breaching a BAA or otherwise violating HIPAA. Civil penalties range from $100 per violation to $50,000 per violation for incidences that exhibit “willful neglect.” HITECH also gives State Attorneys General the ability to enforce violations with injunctions and civil damages.
You can find additional resources about Business Associate Agreements BAAs on the Office of Civil Rights website found at

For more information about HIPAA and other pharmacy compliance solutions for your pharmacy, call PRS at 1-800-338-3688 and speak with one of our Specialists. Also, stop back here for additional posts on compliance issues and what you need to know as a pharmacy owner.