EHR Vendor Contract Terms Clarified: BAAs Required

In efforts to clarify EHR vendor contract terms for healthcare organizations that are moving from paper to digital records, the ONC (Office of the National Coordinator for Health IT) has released their first guide on contracting with EHR vendors.

One of their key contract terms includes a HIPAA business associate agreement:

You must have a business associate agreement (BAA) with the EHR technology developer to ensure that there is no use or disclosure of protected health information other than as permitted or required by the BAA or as required by law and that they use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information.

As a business associate, EHR vendors must first ensure they can meet security safeguards required by HIPAA to protect electronic protected health information (ePHI). Compliance is not a snapshot in time, and requires ongoing maintenance with the help of security officers. Here’s a brief overview of a roadmap to achieving HIPAA compliance for EHR vendors:

1. Conduct and document an initial risk assessment and analysis.
2. Research and understand HIPAA standards and your role in handling PHI.
3. Draft a business associate agreement (BAA) clearly defining your obligations in handling data.
4. Invest in an independent, third-party HIPAA audit of your business against the OCR HIPAA Audit Protocol.
5. Train employees in HIPAA compliant policies and procedures.
6. Appoint a Risk Management and Security Officer position in your company.

Read Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance for more details on how to achieve compliance.

Finally, for EHR vendors, if you’re outsourcing your application and data hosting services to a third-party, you need to ensure you’re contracting with a HIPAA compliant hosting provider with HIPAA compliant data centers. As the final HIPAA omnibus rule states, both business associates and subcontractors are held liable for data breaches and HIPAA violations.

Other terms addressed by the guide include negotiating EHR contract terms; ways in which EHR systems are provided; confidentiality and nondisclosure agreements; warranties and disclaimers; limitation of liability; dispute resolution; termination and wind down; and intellectual property disputes.

Read the EHR Contracts: Key Contract Terms for Users to Understand (PDF).

Read our HIPAA Compliant Hosting white paper as it explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

Related Articles:
HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules
Does your HIPAA hosting provider have a legal BAA (business associate agreement)? I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and … Continue reading →

Interview: HIPAA Rules Effective Starting Today – Is Your HIPAA Hosting Provider Prepared?
The Web Host Industry Review (WHIR) recently featured a Q&A with Online Tech’s Director of Healthcare Vertical discussing the recent regulations that take effect today, March 26. The new HIPAA rules affect HIPAA hosting providers, as they are considered business … Continue reading →