Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms


It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.

September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.

Specifically, compliance was required 180 days following the HIPAA Omnibus Rule’s effective date (3/26/13); that initial deadline was September 23, 2013.  Additional time was provided for covered entities to enter into updated business associate agreements under certain circumstances, e.g., if the then-existing BAA complied with prior HIPAA rules, the parties to the BAA had an additional year to bring their BAAs into compliance with new Omnibus Rule.  That grandfathering will soon come to an end.

If you already updated your BAAs to be consistent with the Omnibus Rule, there’s nothing more to do right now (although it never hurts to review your agreements and to make sure you have BAAs where they are needed.)

As you revisit your BAAs, look at some of the elements to see if they can be made more favorable, including the following types of provisions:

  • breach notification timing;
  • ownership of data;
  • mitigation and breach response obligations;
  • indemnification;
  • insurance; and
  • incorporation of other federal and parallel state data security standards.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag - Privacy & Data Security | Attorney Advertising

Written by:


Foley Hoag - Privacy & Data Security on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.