HIPAA BAA Deadline is Monday, September 23, 2013


by Margaret Young Levi

Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule.  Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”).  As we blogged on March 4th, any new BAAs signed after January 24, 2013 should comply with added requirements under the Omnibus Rule.  These new agreements must be signed and in place by September 23, 2013.

Current BAAs (those signed on or before January 24, 2013) will be grandfathered and deemed HIPAA compliant through September 23, 2014, at which time the BAA will need to have been amended for compliance with the Omnibus Rule. 

As a first step, covered entities should verify that they have identified all of their business associates, particularly in light of the revised definition of “business associate” in the Omnibus Rule.  Covered entities should enter into compliant BAAs with any newly identified Business Associates or with existing business associates if the agreements are renewed after January 24th (excluding those BAAs that automatically renewed). 

Business associates will now be directly liable for their actions under HIPAA and should take steps to identify their downstream business associates, called “subcontractors” and enter into BAAs with those subcontractors. 

See our March 4, 2013 post for additional details.