Health Law Gurus

September 22, 2014 – HIPAA Compliance Deadline for Business Associate Agreements Is Just Around the Corner

All business associate agreements (“BAAs”) must be updated and compliant with current Health Insurance Accountability and Portability Act (“HIPAA”) regulations by September 22, 2014. Failure to meet this deadline could result in large penalties for covered entities and/or business associates if there is a breach of protected health information (“PHI”) or a government audit. If you have not already done so, act now to ensure that you meet this important deadline.

Why do I need to update my BAAs by September 22, 2014?

The HIPAA Final Omnibus Rule (the “Final Rule”), published in January 2013, made many changes to the HIPAA regulations. One of the changes required covered entities and business associates to update their BAAs by September 23, 2013. However, the Final Rule established a transition period for certain BAAs, called grandfathered BAAs. Grandfathered BAAs are those that were in place prior to January 25, 2013 (and compliant with the then current HIPAA rules) and were not subsequently modified or amended. The transition period is ending this month. According to the Final Rule, all grandfathered BAAs must be in compliance with current HIPAA regulations by September 22, 2014.

How do I get more information about updating my BAAs?

The U.S. Department of Health and Human Services (“HHS”) has posted sample BAA provisions on its website. To access these provisions, click here. Note that these provisions are only samples provided by HHS for guidance. For advice specific to individual circumstances, you should contact an experienced health law attorney.

I have already updated my BAAs. Is there anything else I need to do?

If your BAAs are compliant with current HIPAA regulations, then there is nothing else that you must do by September 22, 2014.

However, you should consider the following:

• Proactively improve your HIPAA compliance. You should ensure that your organization actually has in place the safeguards that it is promising to implement by signing a BAA. For instance, when signing a BAA, covered entities and business associates are agreeing to have in place a risk analysis and a risk management program. Few covered entities and business associates have actually completed a bona fide risk analysis as required by HIPAA and few have implemented a proper risk management program. Now is the time to proactively improve your HIPAA compliance. Do not wait until you are audited or investigated for a breach of PHI.
• Consult with a health law attorney to determine if the provisions in the BAA are appropriate for the transaction. Many covered entities and business associates sign form BAAs without considering the implications of the provisions in the agreements. Covered entities and business associates may want to consider provisions addressing indemnification, breach notification reporting timeframes, insurance, waiver of jury trials, state law, and mitigation. This is only a suggested list. Consult with an attorney for advice specific to individual circumstances.
• Train your workforce and retrain regularly. Training is critical. Without training, the strongest policies are meaningless.
• Evaluate your business relationships to determine if all necessary BAAs are in place. In the event of a government audit or investigation, the government will ask to see a copy of your BAAs. Make sure that your organization has executed a BAA or a subcontractor BAA with all necessary parties.