Health Care Law Blog
The Final HIPAA Omnibus Rule ("Final Rule"), published January 25, 2013, contains several new requirements for business associate ("BA") agreements. While the requirements went into effect on September 23, 2013, grandfathered BA agreements that were in place prior to January 25, 2013 were deemed to be in compliance for one year. Now that the one year expiration of the deemed compliance is quickly approaching, covered entities and business associates must ensure that their grandfathered BA agreements are updated to comply with the Final Rule before the September 22, 2014 deadline.
To meet the deadline, covered entities and business associates should review and update all existing BA agreements to determine whether they are HIPAA-compliant. The Final Rule also requires business associates to have written BA agreements with their subcontractors that comply with the new requirements.
Specifically, updated BA agreements must provide that the business associate will:
- Comply with the security rules with respect to electronic Protected Health Information ("PHI");
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract with the covered entity;
- Not use or disclose the PHI other than as permitted by the BA agreement or as required by law;
- To the extent the business associate is to carry out a covered entity's obligation under the HIPAA Privacy Rule (such as providing access or copies of PHI to individuals), comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligation;
- Make available to the Secretary of Health and Human Services its internal practices, books and records relating to the use and disclosure of PHI for purposes of determining the covered entity's compliance with the HIPAA Privacy Rule;
- Ensure that any subcontractors with whom the business associate exchanges PHI agree to comply with the same restrictions and conditions that apply to the business associate; and
- Promptly report any security incidents and breaches of unsecured PHI to the covered entity.
If covered entities and business associates do not update their BA agreements to comply with the Final Rule before the deadline, any exchange of PHI between the entities could be considered a breach of the Final Rule. Under the Final Rule, a business associate is directly liable and subject to potential civil and criminal penalties for making uses and disclosures of PHI that are not authorized by its contract with a covered entity. A business associate is also directly liable for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. Additionally, a covered entity may be vicariously liable for a business associate's misconduct, unless the covered entity has complied with the above requirements relating to the BA agreements and did not know of the business associate's misconduct.
Accordingly, covered entities and business associates should ensure that their BA agreements comply with the requirements of the Final Rule before the September 22 deadline.
If you have any questions about updating your BA agreements or complying with the Final Rule, please contact an attorney in our Health Care Practice Group.
Julie C. LaVille authored this article as a Law Clerk.
ShareholderJulie is an experienced attorney with over a decade of practice focused on employee benefits and retirement plan compliance. She advises employers, plan sponsors, and fiduciaries on the design, operation, and governance of ...
