{ Banner Image }

HIPAA Deadline Quickly Approaching – Are your Business Associate Agreements Up To Date?

business associate agreementsThe Final HIPAA Omnibus Rule ("Final Rule"), published January 25, 2013, contains several new requirements for business associate ("BA") agreements. While the requirements went into effect on September 23, 2013, grandfathered BA agreements that were in place prior to January 25, 2013 were deemed to be in compliance for one year. Now that the one year expiration of the deemed compliance is quickly approaching, covered entities and business associates must ensure that their grandfathered BA agreements are updated to comply with the Final Rule before the September 22, 2014 deadline.

To meet the deadline, covered entities and business associates should review and update all existing BA agreements to determine whether they are HIPAA-compliant. The Final Rule also requires business associates to have written BA agreements with their subcontractors that comply with the new requirements.

Specifically, updated BA agreements must provide that the business associate will:

  • Comply with the security rules with respect to electronic Protected Health Information ("PHI");
  • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract with the covered entity;
  • Not use or disclose the PHI other than as permitted by the BA agreement or as required by law;
  • To the extent the business associate is to carry out a covered entity's obligation under the HIPAA Privacy Rule (such as providing access or copies of PHI to individuals), comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligation;
  • Make available to the Secretary of Health and Human Services its internal practices, books and records relating to the use and disclosure of PHI for purposes of determining the covered entity's compliance with the HIPAA Privacy Rule;
  • Ensure that any subcontractors with whom the business associate exchanges PHI agree to comply with the same restrictions and conditions that apply to the business associate; and
  • Promptly report any security incidents and breaches of unsecured PHI to the covered entity.

If covered entities and business associates do not update their BA agreements to comply with the Final Rule before the deadline, any exchange of PHI between the entities could be considered a breach of the Final Rule. Under the Final Rule, a business associate is directly liable and subject to potential civil and criminal penalties for making uses and disclosures of PHI that are not authorized by its contract with a covered entity. A business associate is also directly liable for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. Additionally, a covered entity may be vicariously liable for a business associate's misconduct, unless the covered entity has complied with the above requirements relating to the BA agreements and did not know of the business associate's misconduct.

Accordingly, covered entities and business associates should ensure that their BA agreements comply with the requirements of the Final Rule before the September 22 deadline.

If you have any questions about updating your BA agreements or complying with the Final Rule, please contact an attorney in our Health Care Practice Group.

Julie C. LaVille authored this article as a Law Clerk.

Categories: Compliance, HIPAA


Type the following characters: romeo, whisky, foxtrot, november, whisky, three

* Indicates a required field.

Subscribe to RSS»
Get Updates By Email:

Best Lawyers® 2021

Congratulations to the attorneys of the Health Care practice group at Foster Swift Collins & Smith, PC for their inclusion in the Best Lawyers in America 2021 edition. Firm-wide, 44 lawyers were listed. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation and as lawyers are not required or allowed to pay a fee to be listed; inclusion in Best Lawyers is considered a singular honor. Health Care practice group members listed in Best Lawyers are as follows:

To see the full list of Foster Swift attorneys listed in Best Lawyers 2021, click here.