Some controversy has erupted regarding the status of business associate agreements, when the business associate refuses to enter into a business associate agreement. The preamble to the HHS July 14, 2010 proposed regulations provides that - if a covered entity and business associate have failed to enter into a business associate agreement, then the business associate may use or disclose protected health information only as necessary to perform its obligations for the covered entity (pursuant to whatever agreement set the general terms for the relationship between the covered entity and business associate) or as required by law, but any other use or disclosure would violate the privacy rule. Some business associates have interpreted this as a default standard of having no BA agreement. It appears that HHS was trying to set forth some protection for covered entities who needed to do business with a BA, but couldn't get the BA to agree to a BA agreement. (Unfortunately, this situation is becoming more common.) However, I seriously doubt that HHS was attempting to set forth a default "no BA agreement standard," when the requirement remains that all CEs must obtain a BA agreement with their BAs. In addition, the disclosure allowed in such a situation is so limited, that any other use or disclosures would violate the privacy rule, such as a use of PHI by a BA for data aggregation. Further, monetary penalties for not signing a BA agreement apply equally to both the CE and the BA. Look for clarification of this in the final regulations.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.
