HITECH Incorporation by Law: A Painful Conundrum

Okay, here’s yet another HITECH question: What does it actually *mean* if HITECH BA requirements are both applicable as a matter of law, and required to be incorporated into BACs? Do we have any discretion to vary the BAC language from the legally incorporated language?

We’ve all (well, many of of us) read the argument about why HITECH’s “shall be incorporated” language can properly be interpreted to the effect that the included requirements are incorporated in BACs as a matter of law. In fact, HIMSS sent comments to OCR to that effect, which were essentially a well-reasoned legal argument. I haven’t confirmed the legal research or checked for alternative legal theories – I do have to do paying work too – but knowing the folks who prepared and reviewed it I expect it’s sound. I think the language is at least ambiguous, in that it “shall be incorporated” can also be interpreted as a command (“the parties shall incorporate”), but the other position clearly has good support.

Automatic incorporation is a helpful position for one significant problem, that of BAC amendment. CEs with a lot of BAs (and BAs with a lot of CEs) already face a burdensome and annoying project in identifying and updating existing contracts, no matter what the timeline. If they have to do it by February 17 this burdensome project will become very difficult and perhaps in some cases impossible within the allotted time. If existing BACs are considered compliant without amendment because new HITECH requirements are incorporated by law as of their effective date, however, this problem is alleviated. Given this useful result and well-reasoned arguments for the automatic incorporation position, OCR could well adopt it.

If so, however, what happens to BAC provisions which deviate from the language of the automatically incorporated requirements? There may be a number of situations where this makes sense – certainly my own view is that it is preferable to write BAC requirements in terms consistent with contract interpretation and enforcement and the parties’ actual operations, because statutory and regulatory language is not necessarily well-adapted to the kinds of interaction and services standards and definitions and dispute resolution needs contracts are intended to serve.

But if we are under a regime where statutory or regulatory requirements are automatically incorporated, in the statutory or regulatory language, does that mean that differing contractual language is:

1. Per se invalid?

2. Invalid to the extent it changes a material aspect of the incorporated requirement? If so, what might be material?

3. A violation of HIPAA/HITECH because it is in whole or in part invalid? If so it would be a continuing violation . . .

4. Valid, but creating an overlapping additional or supplementary requirement to the extent it is materially different from the incorporated requirement?

5. Something else that hasn’t occurred to me?

I don’t know but I think I better try to figure it out.

In fact, I think I better figure it out *even if OCR guidance states that automatic incorporation is not the rule.* In another HITECH strange loop, this problem also affects *existing* BACs, to the extent the language of those provisions deviates from the language used to define the BAC provision requirements in the Privacy Rule. And the language used does not seem ambiguous, the way the “incorporation” language from 13401 and 13404 does.

Here’s the problem. HITECH sec. 13404 states:
In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, *the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title[.]*
The last clause appears to me to make the “applicable requirements of section 164.504(e)” legal obligations of the BA, *independent of the BAC.* These obligations are the established BAC requirements – which therefore now are independent statutory requirements which parallel, overlap or perhaps override the same requirements in *all BACs*, to the extent the language in the BAC may vary from the regulatory language of the BAC requirements. (Though I’m not actually sure we’ve got the potential variation invalidity problem, since we don’t have the “incorporation” language – but I do think organizations could face a “deviation = additional obligations” problem.)

Related Posts


More HIPAA/HITECH and Joint IT Environments: Multiple Account Access

I’ve had some interesting follow-up from my previous posting about HIPAA/HITECH and cloud computing. One question was about my statement that users authorized by one Covered Entity whose Protected Health Information and applications are hosted in a joint IT environment shouldn’t have access to the Protected Health Information and applications of other Covered Entities hosted […]

Read story

Preliminary Thoughts on the HITECH/HIPAA NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act

The Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to […]

Read story