Spencer Fane LLP Logo

Four weeks and counting for “grandfathered” HIPAA business associate agreements

The HIPAA Omnibus/Final Rule, published on January 25, 2013, changed the specifications for business associate agreements (BAAs). In general, covered entities were required to comply with the changes to the rule; however, rather than requiring covered entities to immediately enter into new BAAs with all business associates, the Final Rule grandfathered valid HIPAA business associate agreements entered into by the covered entity prior to that date through September 22, 2014. But now this grace period is quickly coming to an end. With the ultimate compliance deadline looming, covered entities that took advantage of this grace period will be required to ensure their grandfathered BAAs, and for that matter all their BAAs, are fully compliant with the Final Rule requirements.

Although under the Final Rule business associates are now independently required to wholly comply with HIPAA/HITECH and are subject to direct liability for noncompliance, the obligation to ensure that appropriate business associate agreements are in place between the business associate and the covered entity still falls on the covered entity. Starting on September 23, 2014, besides meeting all the previously required elements concerning safeguarding protected health information (PHI), all BAAs will need to contain terms that address the following additional obligations for business associates:

  1. compliance with the HIPAA Security rule;
  2. a commitment by the business associate to execute business associate agreements with their subcontractors;
  3. compliance with the privacy rule to the extent the business associate is carrying out the covered entity’s obligations; and
  4. a duty to report breaches of unsecured PHI to the covered entity.

What does this mean for health care providers? This is a good time to review all business associate agreements. Clearly any BAAs entered into prior to January 25, 2013 should be reviewed, revised or re-entered into as needed to ensure compliance with the Final Rule and other HIPAA obligations. It is also a good time to review more recent business associate agreements in order to confirm that they also contain provisions that address these requirements.