As a result of recent changes to the Health Insurance Portability and Accountability Act (HIPAA), business associates of healthcare organizations—including consultants who handle individually identifiable health information for their healthcare clients—must sign a business associate (BA) agreement to comply with HIPAA’s privacy guidelines.

So if you’re a consultant who already has a contract with a healthcare organization (which HIPAA regulations refer to as a “Covered Entity”) and the contract doesn’t expire by HIPAA’s April 14, 2003, compliance date, you’ll have to sign off on a BA agreement by April 14, 2004. If you’re working on a new contract, that compliance date is April 14, 2003.

What kind of language should you expect to see in a BA agreement? What obligations are you under to report an unauthorized disclosure of patient information? What does this mean for subcontractors whom you’ve hired for your healthcare contracts?

Luba Halich, a principal of ZoriaMed, a San Diego-based healthcare information management and technology consulting firm, recently sent us a sample BA agreement to give consultants a preview of what they can expect when a client asks them to sign one.

Halich predicted that many healthcare organizations will rely heavily on language that the federal government has suggested. She recommended that consultants concentrate on HIPAA’s privacy and security regulations when faced with a BA agreement, instead of trying to familiarize themselves with every aspect of HIPAA.

We want to emphasize that this downloadable form is a sample BA agreement and is meant to serve as a starting point for consultants who want to familiarize themselves with some of the language used by healthcare organizations. We suggest that you contact your lawyer if you’re working with such an agreement.

For example, Halich said that healthcare organizations may add other requirements that are not required by law, shift liability to consultants, or require consultants to cover expenses that they would not normally meet.

Halich says that these new regulations should not dissuade consultants from working with healthcare clients. “What they’re asking you to do, to protect patient privacy, is ethically something you should do anyway,” she said.