The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.
For example, BAAs must now contain provisions requiring business associates to notify the covered entity of any data breaches. Moreover, the Omnibus Rule expanded the definition of “business associates” to include subcontractors, which means business associates must now enter into BAAs with their subcontractors who access PHI.
The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has posted sample BAA provisions on its website to help covered entities and business associates more easily comply with the additional BAA requirements found in the Omnibus Rule. While these sample provisions are written for use in a contract between a covered entity and its business associate, the language may be tailored for purposes of a contract between a business associate and its subcontractor.
These sample provisions do not constitute a sample contract but are only a starting point. It is not enough to print and sign these provisions. As OCR warns, “These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.” Moreover, there are common concepts in BAAs that are notably missing from the sample provisions, such as indemnification, notification, and mitigation, which should be considered for inclusion with any BAA.
If your current BAA was signed on or before January 24, 2013, then it will be deemed HIPAA compliant through September 23, 2014 (at which time the BAA will need to have been amended for compliance with the Omnibus Rule). Any new BAAs signed after January 24, 2013 should comply with the new requirements under Omnibus Rule, and be in place by September 23, 2013.