On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited HIPAA final omnibus rule (Final Rule). Among the mandates in the Final Rule are several new requirements for Business Associate Agreements (BAAs). While there is likely to be little controversy regarding the requirements, the new standards will probably require HIPAA Covered Entities (health care providers, health plans and insurers) to modify their existing BAAs by either September 2013 or 2014, depending upon the facts of a given situation.
BAAs Generally
For over a decade, the HIPAA regulations have required Covered Entities to enter into BAAs with all contracted parties who: (1) perform a function on behalf of the Covered Entity and (2) have access to protected health information (PHI) of a Covered Entity as a result of that function. The required terms of BAAs are set forth in the HIPAA regulations.
Requirements of the Final Rule
The Final Rule slightly modified some of the requirements surrounding BAAs, added some new required statements regarding delegated duties and removed some requirements relating to notifications to HHS in certain circumstances. While these modifications, additions and subtractions may not result in substantial modifications, they will likely require some changes to existing BAAs. In addition, the HHS Office for Civil Rights has issued a new sample BAA, which may serve as the new standard in the industry. We advise you to review this sample language and tailor it to your unique circumstances before adopting it.
Given the required changes and the new sample provisions from HHS, we recommend that all clients review their existing BAAs and formulate a plan for modifying or replacing these agreements.
Timing of New BAAs
The general date for compliance with the Final Rule is September 23, 2013. However, HHS has granted a one-year grace period for all BAAs that were in place prior to the date the Final Rule was issued (January 25, 2013). This grace period allows the parties to continue existing BAAs, though they will be treated as though they are operating under the new law. The grace period extends until (1) the date the BAA is modified or renewed,* or (2) September 22, 2014; whichever is earlier.
*Automatic renewal of agreements through "evergreen" clauses does not count as a renewal for these purposes.
NEXT STEPS
We recommend that Covered Entities take the following steps:
-
Revise existing BAA templates for use with all new contractual relationships.
-
Review BAA terms in any contract that is renewed or modified between now and September 2014 to ensure compliance with the Final Rule.
-
Take or review inventory of existing BAAs and formulate a plan to replace these with BAAs that are compliant with the Final Rule by September 2014.