HIPAA business associate agreement available soon

Anticipating the April 2003 effective date for the Health Insurance Portability and Accountability Act (HIPAA) privacy rules, the Joint Commission on Accreditation of Healthcare Organizations is preparing a model "business associate agreement" that you can use when putting together the appropriate paperwork to comply with the new rule.

The model agreement should help providers and the Joint Commission to avoid some unnecessary work, says Margaret Van Amringe, vice president of external relations at the Joint Commission. She tells Hospital Peer Review that the model agreement is necessary because the HIPAA rule considers accreditors such as the Joint Commission to be business associates of the accredited organizations.

"Given that, we would be expected to have business associate agreements with each accredited organization, and this agreement would have to delineate our own privacy and disclosure practices, and how we would handle information that is identifiable by patient name," Van Amringe says. "We have nearly 20,000 accredited organizations, so it’s unreasonable to have a different agreement for each one. We don’t have the resources to develop that many."

Other model business associate agreements have been written, and Joint Commission-accredited facilities are free to use those as well, she says. But the Joint Commission will encourage providers to use the model it releases to minimize the customization and the time needed to review each agreement.

"We will have the model business associate agreement out to our accredited organizations by the end of 2002, and then all of our organizations would have to sign the agreement by April 2003," she says. "We’d like everyone to use our model as much as possible."