Business associate agreements that have not already been updated as required by the HIPAA Omnibus Rule should be updated by September 22, 2014.
The Omnibus Rule changed and added mandatory language for valid business associate contracts. The compliance date for the HIPAA Omnibus Rule was September 23, 2013. Recognizing the burden on the industry in amending or entering into new business associate agreements, the Department of Health and Human Services permitted an additional year to update certain business associate agreements. Business associate agreements qualified for this “extension” if: (1) prior to January 25, 2013, the parties had a business associate agreement in place that complied with the HIPAA Privacy and Security Rules that were in effect at that time; and (2) the agreement was not revised or renewed between March 26, 2013 and September 23, 2013.