Because I have a number of current California clients and past ones who may be Premium Members, I have revised my sample Business Associate Agreement (“BAA”) to comport with the Kamala D. Harris, Attorney General, California Department of Justice, California Breach Report, February 2016, at https://oag.ca.gov/breachreport2016 (hereinafter “Breach Report”), which specifies what are reasonable and appropriate security measures for California businesses, including health care businesses. Please see my blog post of March 10, 2016, for more information on the Breach Report. I believe that California covered entities and upstream business associates should seriously consider adding to their BAAs language requiring compliance with these security measures.
As always, please get competent legal review of the sample BAA as it applies to your organization and to your organization’s activities.
Even if you do not do business in California, you may want to read the Breach Report and consider adding such language to your BAAs and to consider its guidance when you perform or update your risk analysis. Please see my blog post of June 26, 2016, for information on how Illinois, like California, is providing more protection to personal information. I can make a good argument that, although the California Breach Report is not the law in any other state, it may soon become a national standard of care for protecting individually identifiable health information.
The new sample BAA with California language for you to consider is available for you in the Premium Member section of our Veterans Press website. If you bought our HIPAA Compliance Library, it included a one-year subscription to the Premium Member section. If you have trouble logging in, please contact our IT/order department at brent@wccit.com, or maggy@wccit.com.