Last year, the U.S. Department of Health and Human Services (“HHS”) published the long awaited Omnibus Final Rule which made a number of modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (“HIPAA Final Rule”). Business Associate Agreements would need to be revised to incorporate required modifications. While the general compliance deadline for the HIPAA Final Rule was September 23, 2013, HHS offered a transition period to allow a little more time for existing Business Associate Agreements to be updated. If not already amended, covered entities (health plans, health care providers, and health care clearinghouses) and business associates have until September 22, 2014, to update their Agreements.
Some of the required amendments include providing that the business associate will comply with the requirements of the HIPAA Security Rule; including breach notification provisions; ensuring business associate subcontractors agree to the same restrictions and conditions that the business associate has agreed to with respect to the handling of protected health information; and extending certain HIPAA Privacy Rule requirements to the business associate. HHS has published sample Business Associate Agreement language on its website which can be viewed here.