Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms

It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.

September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.

Specifically, compliance was required 180 days following the HIPAA Omnibus Rule’s effective date (3/26/13); that initial deadline was September 23, 2013.  Additional time was provided for covered entities to enter into updated business associate agreements under certain circumstances, e.g., if the then-existing BAA complied with prior HIPAA rules, the parties to the BAA had an additional year to bring their BAAs into compliance with new Omnibus Rule.  That grandfathering will soon come to an end.

If you already updated your BAAs to be consistent with the Omnibus Rule, there’s nothing more to do right now (although it never hurts to review your agreements and to make sure you have BAAs where they are needed.)

As you revisit your BAAs, look at some of the elements to see if they can be made more favorable, including the following types of provisions:

  • breach notification timing;
  • ownership of data;
  • mitigation and breach response obligations;
  • indemnification;
  • insurance; and
  • incorporation of other federal and parallel state data security standards.

Leave a Reply

Your email address will not be published. Required fields are marked *