HIPAA business associate compliance by EHR vendors not optional

Now that the HIPAA omnibus rule implementing many of the provisions of the HITECH Act officially has gone into effect, most covered entities are hard at work updating and signing agreements with their business associates before the fast-approaching Sept. 23 compliance deadline.

Many providers, however, are running into a roadblock. A lot of electronic health record vendors, as well as related software vendors, won't accept the fact that they meet the definition of "business associate" under the new rule, according to nurse attorney Randi Kopf in Rockville, Md., who specializes in health IT law on behalf of providers, mainly physicians. To that end, Kopf told FierceEMR in an exclusive interview, those vendors won't agree to comply as the rule requires.

"The new HITECH rule requires most vendors to have business associate agreements but the software companies don't feel they have to," Kopf said.

EHR vendors that have access to patients' confidential information--via internet shared programs, installation of upgrades, staff training, and the like--meet the definition of BAs. I've lamented before that EHR vendor contracts often are one-sided and can create HIPAA problems for providers.

But now that the industry knows exactly what's expected of them in terms of HIPAA compliance, these issues should have been resolved. They're not, and new problems are cropping up, as Kopf recently discovered in her review of vendor contracts. 

For example, a Centers for Medicare & Medicaid Services website regarding the electronic prescribing incentive program specifies the electronic prescribing criteria needed, but doesn't say that the modules need to be HIPAA compliant. Kopf said that vendors have been using that as an excuse to not comply with the BA provisions, and have refused to revise their contracts accordingly. 

Another problem has been the attempt by EHR vendors to sidestep HIPAA by refusing to take responsibility for vendors of electronic prescribing and other modules. "Their contracts disclaim liability and responsibility [for the electronic prescribing module vendors], and say that providers are agreeing instead to third-party contracts," Kopf said.

All this, despite the fact that the new omnibus rule requires a BA's subcontractors to also comply with HIPAA; EHR vendors are required to create business associate agreements with e-prescribing module subcontractors.

Moreover, even the EHR vendors that include HIPAA compliance language in their contracts typically haven't included the more specific business associate language and obligations that the law requires. 

"These are software people. They're not accustomed to being regulated in this industry," Kopf said.

In my opinion, that's no excuse. People don't get to avoid the law because they're not familiar with it.

With enforcement of HIPAA expected to increase, this is not an area where providers can let themselves be bullied. Providers are on the hook legally for security breaches, whether or not their business associates comply.

If you need a business associate agreement with an EHR vendor--or anyone else, for that matter--don't accept less. - Marla (@MarlaHirsch)