Deadline for Updating BAAs is Sept. 22, 2014
Posted on: September 22, 2014Categories: HR & ComplianceOn Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA’s administrative simplification provisions. The final rule updated HIPAA’s privacy, security, enforcement and breach notification requirements, and included changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
The final rule includes changes that may require updates to the agreements between covered entities (for example, a health plan) and their business associates. These types of agreements are often referred to as “business associate agreements” or BAAs.
The deadline for complying with the changes made by the final HIPAA rule was Sept. 23, 2013. However, a special transition rule applies to some business associate agreements. Under this transition rule, covered entities and business associates may have until Sept. 22, 2014, to revise their BAAs for the changes made by the final rule.
CHANGES FOR BUSINESS ASSOCIATES
Expanded Definition
The final HIPAA rule expanded the definition of “business associate” to include all entities that create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity, including subcontractors. Also, the final rule clarified that entities that store PHI, in hard copy or electronic format, are business associates even if they do not access, use or disclose that information.
The business associate that contracts with the subcontractor, and not the covered entity, is required to enter into a business associate agreement with the subcontractor. Under the final rule, a covered entity must obtain satisfactory assurances (through a BAA) from its business associates that they will appropriately safeguard PHI. Business associates must do the same with regard to their subcontractors and so on, no matter how far “downstream” the information flows.
COMPLIANCE OBLIGATIONS
The final rule also clarified the privacy and security provisions that directly apply to business associates, and noted that business associates are directly liable for failing to comply with these requirements. For example, business associates are directly responsible for complying with:
- The HIPAA Security Rules’ administrative, physical and technical requirements for safeguarding electronic PHI and implementing policies and procedures for protecting electronic PHI;
- The Privacy Rules’ restrictions on the use and disclosure of PHI; and
- Reporting breaches of unsecured PHI to a covered entity in compliance with HIPAA’s breach notification requirements.
BUSINESS ASSOCIATE AGREEMENTS
Covered entities, including health plans, and business associates should review their BAAs to confirm that they are up-to-date with the final HIPAA rule. For example, among other changes, the final HIPAA rule requires business associate agreements to state that a business associate will ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information.
HHS has provided sample business associate agreement language for covered entities and business associates to use as a starting point in drafting their own agreements.
EXTENDED DEADLINE
The final HIPAA rule includes an extended compliance deadline for business associate agreements that were entered into prior to Jan. 25, 2013, and complied with the HIPAA requirements in effect on that date. The transition rule extended the time for the paperwork only—it did not extend the time allowed for the covered entity and business associate to comply with the changes made by the final HIPAA rule.
The transition period allows BAAs that were entered into prior to Jan. 25, 2013, and were not renewed or modified between March 26, 2013, and Sept. 23, 2013, to remain compliant until the earlier of:
- Sept. 23, 2014; or
- The date the agreement was renewed or modified after Sept. 23, 2013.
Thus, at the latest, business associate agreements should be updated to comply with the final rule by Sept. 22, 2014.
Because HHS has increased its enforcement activity under HIPAA’s Privacy and Security Rules lately, it is especially important for health plan sponsors to keep BAAs up to date and comply with all other applicable HIPAA requirements.