Updating business associate agreements

July 8, 2005

In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

Q: In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

A: Yes, if your billing company handles protected medical information electronically, whether via a computer, a computer disc, a PDA, or a similar electronic device. In such cases, be sure to update your agreement so that your billing company is required to:

  • implement safeguards (administrative, physical, and technical) that will protect the confidentiality and integrity of the electronic medical information it receives from you;
  • ensure that any additional parties with access to this information will take similar steps to protect its confidentiality and integrity; and
  • report to you any security breach that it becomes aware of.

In general, the government requires that you enter into a business associate agreement with any parties-other than office staff members-that perform activities that may involve the use or disclosure of protected medical information. If other vendors you deal with fall into this category, they, too, must be given an appropriate business associate agreement.