By Billee Lightvoet Ward
Although the HIPAA Omnibus Rule (the “Rule”) went into effect nearly 18 months ago, the transition period for bringing business associate agreements into compliance with the Rule’s new requirements will end on September 23, 2014. Business associates were directly regulated and responsible for complying with the Rule as of September 23, 2013, but the Rule provided for a one-year transition period for certain business associate agreements that were in place prior to January 25, 2013 (the date the Rule was published). As of September 23, 2014, all business associate agreements must reflect the Rule’s new requirements. Those requirements include the following:
- Require that the business associate comply, and require its subcontractors to comply, with applicable requirements of the Security Rule;
- Require that the business associate ensure that its subcontractors agree to the same restrictions and conditions that apply to the business associate with respect to protected health information;
- Require that the business associate report breaches of unsecured protected health information to the covered entity;
- If the business associate carries out a covered entity’s obligation under the Privacy Rule, require that the business associate comply with the Privacy Rule requirements that apply to the performance of such obligation; and
- Require the business associate take steps to cure or end the violation (or terminate the relationship) if it knows of a pattern of activity or practice of its subcontractor that constitutes a material breach of the subcontractor’s obligations.
This upcoming deadline serves as a good reminder for covered entities and business associates to review, amend or replace existing business associate agreements. In addition, this deadline reminds covered entities of their obligation to exercise diligence in establishing and monitoring their business associate relationships going forward.
The Rule made sweeping changes to the concept of business associates by expanding the definition to include subcontractors who create, receive, maintain or transmit protected health information on behalf of a business associate; health information organizations, e-prescribing gateways, and certain other persons that provide data transmission services for covered entities; and persons that offer personal health records on behalf of a covered entity. Because the definition of business associate has been expanded to include many vendors who were not previously regulated by HIPAA, covered entities and business associates may need to educate downstream service providers on HIPAA’s applicability and required contract language. The parties may wish to negotiate additional terms such as insurance and indemnification provisions to allocate risks in light of their respective compliance obligations.