All business associate agreements (“BAAs”) must be updated and compliant with current Health Insurance Accountability and Portability Act (“HIPAA”) regulations by September 22, 2014. Failure to meet this deadline could result in large penalties for covered entities and/or business associates if there is a breach of protected health information (“PHI”) or a government audit. If you have not already done so, act now to ensure that you meet this important deadline.
Why do I need to update my BAAs by September 22, 2014?
The HIPAA Final Omnibus Rule (the “Final Rule”), published in January 2013, made many changes to the HIPAA regulations. One of the changes required covered entities and business associates to update their BAAs by September 23, 2013. However, the Final Rule established a transition period for certain BAAs, called grandfathered BAAs. Grandfathered BAAs are those that were in place prior to January 25, 2013 (and compliant with the then current HIPAA rules) and were not subsequently modified or amended. The transition period is ending this month. According to the Final Rule, all grandfathered BAAs must be in compliance with current HIPAA regulations by September 22, 2014.
How do I get more information about updating my BAAs?
The U.S. Department of Health and Human Services (“HHS”) has posted sample BAA provisions on its website. To access these provisions, click here. Note that these provisions are only samples provided by HHS for guidance. For advice specific to individual circumstances, you should contact an experienced health law attorney.
I have already updated my BAAs. Is there anything else I need to do?
If your BAAs are compliant with current HIPAA regulations, then there is nothing else that you must do by September 22, 2014.
However, you should consider the following: