REMINDER: Deadline to Update Business Associate Agreements was September 22, 2014
In January 2013, the Omnibus Rule was released by the Department of Health and Human Services
(HHS). The Omnibus Rule implements previously issued HITECH Act regulations and expands the existing HIPAA compliance requirements for business associates of covered entities. Health plans, health care providers, and health care clearinghouses are covered entities that must comply with HIPAA, HITECH and the Omnibus Rule. Business associates are individuals or entities that create, receive, maintain, or transmit Protected Health Information (PHI) of behalf of a covered entity. HIPAA requires covered entities to execute a business associate agreement (BAA) with each business associate before disclosing PHI to the business associate. It is important to remember that it is the covered entity’s responsibility to ensure that existing BAAs have been updated and executed by September 22, 2014.
Before the release of the Omnibus Rule, business associate agreements had to contain the
following elements: a description of permissible uses or disclosures of PHI, requirements to help the covered entity respond to individual rights, and certain termination provisions. If a covered entity had a compliant BAA in place on January 25, 2013 it has until September 22, 2014 to update/review it to ensure the following additional obligations of the business associate under the Omnibus Rule are included.
ï‚·Compliance with the HIPAA Security rule;
ï‚·Agreement to execute business associate agreements with their subcontractors;
ï‚·If the business associate carries out an obligation of a covered entity, compliance with any
HIPAA rule applicable to such obligation; and
ï‚·Reporting breaches of unsecured PHI to the covered entity.
Under the Omnibus Rule, business associates are required to fully comply with HIPAA/HITECH and
are subject to direct liability for noncompliance. However, it is still the covered entity’s responsibility to
ensure the appropriate business associate agreements are in place. The deadline for covered entities to
complete this task is September 22, 2014.
For more information and sample business associate agreement provisions visit the HHS website,