September 23, 2013: What It Means for HIPAA Business Associate Agreements

September 23, 2013 is rapidly approaching, and Covered Entities and Business Associates must comply with the requirements of the HIPAA Omnibus Rule by this date. Among the tasks facing Covered Entities and Business Associates seeking to meet Omnibus Rule requirements, they must ensure that their Business Associate Agreements (“BAAs”) comply with the Omnibus Rule. One particular challenge regarding BAAs is that the deadline for compliance depends on when they were entered into, renewed, or modified. Another challenge is that entities may have varying forms of BAAs with multiple parties.

The Omnibus Rule provides that Covered Entities and Business Associates must modify their BAAs to comply with the Omnibus Rule according to the following schedule:

  • Generally, business associate agreements must comply with Omnibus Rule requirements beginning September 23, 2013; yet
  • BAAs that a party had entered into as of, and was operating pursuant to before, January 25, 2013 (and that otherwise complied with HIPAA as of that date) shall be deemed compliant until the earlier of:
    • The date they are renewed or modified on or after September 23, 2013; or
    • September 22, 2014; however
  • If such a BAA is renewed or modified on or after March 26, 2013 it must become compliant with Omnibus Rule requirements beginning September 23, 2013.
  • Similar transition provisions exist for data use agreements.

In short, BAAs and data use agreements that pre-date January 25, 2013 and were HIPAA compliant on that date are deemed compliant until September 22, 2014, unless they are renewed or modified. All other BAAs need to become compliant with Omnibus Rule requirements beginning September 23, 2013.

With September 23, 2013 approaching, if they have not already done so, Covered Entities and Business Associates must identify all BAAs that need to become compliant by that date and negotiate updated BAAs that comply with the Omnibus Rule. There are many reasons to ensure that BAAs comply with the Omnibus Rule; if Covered Entities and Business Associates require another reason, the HHS Office of Civil Rights audit protocol includes assessments of policies and procedures related to BAAs as well as their content.

Leave a comment

Filed under HIPAA, HIPAA Omnibus Rule

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s