Some CEs will include a provision permitting them to have access to and audit the BA’s HIPAA practices. The right to audit BA compliance may afford the CE with comfort in terms of how seriously the BA it taking its HIPAA obligations. Larger BAs in particular may push back against CEs who try and include this concept in the BAA. ï‚· Fines and other remedies in the event of a breach or unauthorized disclosure of PHI by the BA. Some CEs seek to impose penalties for a breach or unauthorized disclosure of PHI by a BA. These clauses can take the form of liquidated damages, specific performance, or other equitable relief. ï‚· Other substantive obligations. BAAs can be written to address many other substantive obligations imposed on the BA. For instance, the CE may want to specify in detail how the BA will comply with the Privacy Rule’s “access” provision, which requires BAs to provide a copy of electronic PHI in a designated record set to the CE, the individual, or the individual’s designee.

Other substantive Privacy Rule obligations can also be addressed at varying levels of detail. If you have comments or questions about amending BAAs, please contact Jesse Berg at jesse.berg@gpmlaw.com or 612-632-3374. Gray Plant Mooty Health Law Seminar HIPAA issues will be addressed at Gray Plant Mooty’s 18th annual Health Law Seminar, to be held July 17th at the Depot in Minneapolis. You can find more information about this event and how to register here. Minneapolis, MN | St. Cloud, MN | Washington, DC | Fargo, ND © 2016 Gray Plant Mooty | gpmlaw.com .