The Final HIPAA Omnibus Rule (the “Omnibus Rule”), published in the Federal Register on January 25, 2013, made various important changes to how entities must comply with privacy and security requirements. While most deadlines stemming from the Omnibus Rule have passed, one is imminent: the final requirement to update Business Associate Agreements (“BAAs”). Certain BAAs may need to be updated by September 22, 2014.
Most BAAs were required to be updated to comply with the Omnibus Rule by September 23, 2013. Key required changes related to breach reporting requirements, obligations for business associates performing covered entity functions, and an expanded definition of ‘business associate.’ However, BAAs already in place prior to the effective date of the Omnibus Rule that were neither renewed nor modified between March 26, 2013, and September 23, 2013, were deemed to be in compliance. Such BAAs were required to be updated to comply with the Omnibus Rule upon renewal or modification. Because deemed compliance is about to expire, BAAs that currently do not comply with the Omnibus Rule are required to be updated to come into compliance by September 22, 2014.
Covered Entities and Business Associates are encouraged to review their BAAs over the next several weeks to determine if modifications are needed to facilitate compliance.