September 22, 2014: Quickly approaching deadline to amend business associate agreements

Thompson Coburn LLP

Close-up of secretary’s hands doing paperworkThe HIPAA Omnibus Rule, enacted last year, made a number of changes to the HIPAA privacy, security and breach notification rules. Some of these changes affected business associate provisions of the HIPAA privacy and security rules and required amendment of existing business associate agreements (“BAAs”).

Although compliance with the Omnibus Rule was required as of September 23, 2013, the Omnibus Rule “grandfathered” certain BAAs that were in effect as of January 25, 2013. Under the grandfathering provisions, those BAAs needed to be amended to comply with the Omnibus Rule by September 22, 2014 (or earlier, if the BAA was renewed or revised after September 23, 2013). While this transition period has been a welcome provision providing health care organizations with time to bring existing BAAs into compliance with the Omnibus Rule, it is important to remember that the transition period is expiring in two weeks and all BAAs must be compliant with the Omnibus Rule by September 22, 2014.

Some of the key provisions that must be included in the BAAs under the Omnibus Rule include:

  • Specifying that the business associate must comply with the HIPAA security rules,
  • Requiring the business associate to notify the covered entity regarding breaches of unsecured protected health information,
  • Updating the provisions related to subcontractors, and
  • Indicating that to the extent the business associate is to perform any of the covered entity's obligations under the HIPAA privacy rule, the business associate will also comply with all of such rule’s requirements that apply to the covered entity.

In addition to including in BAAs provisions required by the Omnibus Rule, the parties may also choose to add provisions that would clarify the various responsibilities of the parties from a business perspective (for example, addressing financial responsibility in the event of a breach of unsecured protected health information).

Given the upcoming compliance deadline and the heightened enforcement of the HIPAA rules, it is important that covered entities identify all vendors that are considered to be a business associate and ensure that Omnibus Rule compliant BAAs are in place with all business associates by September 22, 2014.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson Coburn LLP | Attorney Advertising

Written by:

Thompson Coburn LLP

Thompson Coburn LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.