HITECH Business Associate Requirements

HITECH Business Associate Requirements

Memorandum of Intent

Page 2of 3

MEMORANDUM OF UNDERSTANDING

COMPLIANCE WITH HITECH BUSINESS ASSOCIATE REQUIREMENTS

This Memorandum of Understanding is entered into between [COVERED ENTITY NAME] (“Covered Entity”) and [BUSINESS ASSOCIATE NAME] (“Business Associate”).

A. Covered Entity is an organization which is and has been required to comply with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively “HIPAA”). Business Associate is an organization which provides services to Covered Entity involving the use and/or disclosure of protected health information (as that term is defined under HIPAA)(“PHI”) on behalf of Covered Entity. In order to comply with HIPAA the parties have previously entered into a form of contract in compliance with the requirements of HIPAA (“Business Associate Agreement”).

B. The enactment of the Health Information Technology for Clinical and Economic Health Act (“HITECH”), Subtitle D of the American Recovery and Reinvestment Act of 2009 has established new requirements for compliance with HIPAA. In particular, HITECH requires (1) that Covered Entities and Business Associates provide notification to affected individuals in the case of breaches of unsecured PHI (“Breach Notification Requirements”); (2) that Business Associates comply with the HIPAA security regulations (“BA Security Compliance”); and (3) that additional and/or revised provisions be included in Business Associate Contracts (“BAC Amendment”).

C. Compliance with these new provisions will be required as follows:

1. The Breach Notification Requirements will be effective thirty days from the publication of implementing regulations, with an effective date of September 23, 2009.

2. BA Security Compliance and BAC Amendment will be required as of February 17, 2010.

D. The parties intend to provide for their compliance with HITECH in a reasonable, timely manner.

The parties therefore agree:

1. Intent to Enter Into Security Breach Notification Addendum. The parties shall enter into an addendum to their Business Associate Agreement providing provisions for coordination of Security Breach Notification (“Security Breach Notification Addendum”) as soon as reasonably practical after the issuance of the applicable implementing regulations on August 24, 2009. Business Associate acknowledges that a failure to implement Breach Notification Requirements by September 23, 2009 will mean the Business Associate is not in compliance with HITECH after that date, so that timely implementation and/or update of contract language and notification processes as necessary is of the essence of Business Associate’s continuing relationship to Covered Entity.

2. Intent for BA Security Compliance. Business Associate shall develop and implement a plan to come into compliance with the HIPAA security regulations as soon as reasonably possible upon the execution of this Memorandum. Upon Covered Entity’s reasonable request, from time to time the Business Associate shall advise Covered Entity of the planned schedule for compliance and the status of implementation. Business Associate acknowledges that a failure to implement HIPAA security regulation compliance by February 17, 2010 will mean the Business Associate is not in compliance with HIPAA after that date, so that timely completion of BA Security Compliance is of the essence of Business Associate’s continuing relationship to Covered Entity.

3. Intent to Amend Business Associate Agreement. The parties shall negotiate and finalize amendments to their Business Associate Agreement as soon as reasonably possible following the execution of this Memorandum. Each party shall provide for a contact person with appropriate authority to manage the contract amendment process and ensure its timely progress and implementation. The contract amendment process shall be coordinated as appropriate with Business Associate’s BA Security Compliance implementation. The parties acknowledge that a failure to enter into an appropriately amended Business Associate Agreement by February 17, 2010 will mean the parties are not in compliance with HIPAA after that date, so that timely completion of BAC Amendment is of the essence of Business Associate’s continuing relationship to Covered Entity.

4. Use of HITRUST Resources. In order to expedite the tasks contemplated by this Memorandum the parties shall use the tools and security assessment and reporting processes published and updated from time to time by the Health Information Trust Alliance (“HITRUST”). In particular, Covered Entity may require Business Associate to implement security compliance using the HITRUST Common Security Framework (“CSF”), and to perform and provide the results of a security assessment under the HITRUST CSF Assurance Program. We do reserve the right to conduct our own additional assessment if we learn of information through this program or elsewhere that increases our concerns about how Business Associate protects our information. The final form of any Security Breach Notification Addendum and amended Business Associate Agreement shall be as negotiated by the parties in their sole discretion, provided that the Business Associate Agreement must be in compliance with HITECH.

5. Effect of Memorandum. This Memorandum does not amend the existing Business Associate Agreement between the parties, and will be fully superseded by the final Security Breach Notification Addendum and amended Business Associate Agreement between the parties. This Memorandum upon completion of the tasks contemplated herein, but in no case later than February 17, 2010.

[COVERED ENTITY NAME]
[ADDRESS]
[CITY, STATE, ZIP CODE] / [BUSINESS ASSOCIATE NAME]
[ADDRESS]
[CITY, STATE, ZIP CODE]
By:______
Signature / By:______
Signature
By:______
Printed Name
Title:______/ By:______
Printed Name
Title:______
Date:______/ Date:______