Two Months Until the Omnibus Final Rule Deadline: Are Your Business Associate Agreements Compliant?

July 17, 2013

On Jan. 17, 2013, the U.S. Department of Health and Human Services (HHS) released the Omnibus Final Rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule makes significant changes to the privacy and security obligations of covered entities and their business associates with respect to patients’ protected health information (PHI). Covered entities and business associates are required to come into full compliance with the Final Rule by Sept. 23, 2013.

One of the more burdensome compliance tasks necessitated by the Final Rule is ensuring that all business associate agreements (BAAs) meet the updated requirements. In general, providers must enter into new BAAs or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) meet the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, do not have to be updated until Sept. 23, 2014. To the extent that an entity anticipates relying on this grandfathering exception, we recommend ensuring that existing agreements are compliant with the old rules. Otherwise, the exception will not apply.

Entities will also need to evaluate whether the new definition of “business associate” creates additional business associate relationships. The Final Rule contains a number of modifications and clarifications that are significant for defining who qualifies as a business associate of a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; and (ii) expands the definition of business associate to include subcontractors of business associates. Accordingly, covered entities and business associates should ensure that they have entered into a compliant BAA with any cloud storage provider to which they have entrusted patient data. All downstream vendors with access to PHI must sign a compliant BAA, no matter how many vendors are interposed between the covered entity and the downstream vendor.

The following are recommended next steps for updating BAAs:

  1. Update the entity’s form BAA to ensure compliance with the Final Rule. This may also be a good opportunity to consider whether the protections and restrictions in the form agreement go far enough in protecting patients and the entity. For additional considerations for providers, see the article, “Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough.”
  2. Conduct an inventory of all current BAAs (including BAAs in which the entity is the covered entity and BAAs in which the entity is a business associate or subcontractor). Each of these BAAs will need to be modified by an amendment or replaced with a revised BAA.
  3. Providers and their business associates should review all business relationships to ensure that a BAA is in place where one is required under HIPAA. Providers and business associates may have relationships that did not previously require a BAA, but do now under the Final Rule’s expansion of the definition of “business associate.”

Please contact the authors for more information about business associate agreements, the Final Rule or HIPAA compliance generally.