The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition). Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations. All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule. BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time. Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading
Sample BAA Provisions
The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.
For example, BAAs must now contain provisions requiring business associates to notify the covered entity of any data breaches. Moreover, the Omnibus Rule expanded the definition of “business associates” to include subcontractors, which means business associates must now enter into BAAs with their subcontractors who access PHI.
The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has posted sample BAA provisions on its website to help covered entities and business associates more easily comply with the additional BAA requirements found in the Omnibus Rule. While these sample provisions are written for use in a contract between a covered entity and its business associate, the language may be tailored for purposes of a contract between a business associate and its subcontractor.
These sample provisions do not constitute a sample contract but are only a starting point. It is not enough to print and sign these provisions. As OCR warns, “These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.” Moreover, there are common concepts in BAAs that are notably missing from the sample provisions, such as indemnification, notification, and mitigation, which should be considered for inclusion with any BAA.
If your current BAA was signed on or before January 24, 2013, then it will be deemed HIPAA compliant through September 23, 2014 (at which time the BAA will need to have been amended for compliance with the Omnibus Rule). Any new BAAs signed after January 24, 2013 should comply with the new requirements under Omnibus Rule, and be in place by September 23, 2013.