Recent updates to the Health Insurance Portability and Accountability Act’s (HIPAA) privacy regulation may affect consultants who work with health care organizations. The Privacy Rule requires that Covered Entities (CEs) have vendors, contractors, or service providers, who use protected health information to conduct business on behalf of a CE, sign a Business Associate (BA) agreement. If your work allows you access to protected patient health information, you will be required to sign a BA agreement.

We spoke with TechRepublic member Luba Halich, a principal consultant at health care consulting firm ZoriaMed, Inc. Halich stays abreast of HIPAA’s ever-changing rules and requirements. She recommended three Web sites where consultants can learn more about BA agreements. Here are these resources, along with a short summary of what each offers.

HIPAA’s Business Associate agreement requirements
Generally, BA agreements between the CEs and their associates must be completed by April 13, 2003, for new contracts, with an additional year provided for existing contracts. However, consultants may want to delve deeper into the specifics of the timelines and the specifics of the BA agreements, which outline the appropriate use of protected health information, safeguards, policy and procedures, and corrective actions if a privacy breach occurs.

The following three resources offer further information about HIPAA’s BA agreements:

  • Office for Civil Rights
    This portion of the Office for Civil Rights site offers background information about the Privacy Rule, a bulleted list defining a “business associate,” and a set of Frequently Asked Questions.
  • Connecticut State Medical Society
    This section of the Connecticut State Medical Society site offers links to legislative alerts and updates concerning the Privacy Rule and HIPAA at large. It also offers a sample Business Associate agreement so consultants can get a taste of what they may be asked to sign.
    For a more comprehensive explanation and breakdown of the Privacy Rule, check out this section of You’ll find explanations and clarification under these headings: Required Permissions, Disclosures To Other Entities For Payment & Operations, Business Associate Requirements, Limited Data Sets, and Marketing. You’ll also find a link to a Q&A about HIPAA law.

More about BA agreements

Luba Halich had more to say about what consultants should know about BA agreements. Look for her recommendations in a future article.