On January 25, 2013, the Final HIPAA Omnibus Rule – Final Rule – was published containing several new requirements for business associate agreements. Even though, it didn’t go into effect until September 23, 2013, any grandfathered business associate agreements that were in place prior to January 25, 2013, were considered to be in compliance for one year. The one-year expiration of the deemed compliance is quickly approaching, so covered entities and business associates must ensure that their grandfathered business associate agreements are current to comply with the Final Rule before September 22, 2014.
Review Business Associate Agreements Before the Deadline
To meet the deadline, covered entities and business associates should examine and renew all existing business associate agreements to determine whether they are HIPAA compliant. This also includes compliant, current BA agreements with subcontractors.
These business associate agreements must indicate that the business associate will:
- Comply with the security rules with respect to electronic Protected Health Information (PHI)
- Utilize appropriate precautions to prevent use or disclosure of the information other than as provided by its contract
- Not use or disclose the PHI for purposes other than as permitted by the business associate agreements, or as required by law.
- Carry out a covered entity’s obligation under the HIPAA Privacy Rule and comply with the requirements of the Privacy Rule that apply to the covered entity.
- Provide internal practices, books and records associated with the use and disclosure of PHI to the Secretary of Health and Human Services to determine the covered entity’s compliance with the HIPAA Privacy Rule.
- Ensure that any subcontractors with whom the business associate exchanges PHI with agree to comply with the same restrictions and conditions that apply to the business associate agreements.
- Quickly report any security incidents and breaches of unsecured PHI to the covered entity.
If any covered entities and business associates do not keep their business associate agreements current in order to comply with the Final Rule before the deadline, any exchange of PHI between the entities could be considered a breach of the Final Rule. Business associates who fail to comply before the deadline may be liable and subject to potential civil and criminal penalties, for making uses and disclosures of PHI that are not authorized by contract with a covered entity. A business associate is also liable for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. A covered entity may also be liable for a business associate’s misconduct, unless the covered entity has complied with the above requirements and did not know of the business associate’s misconduct.
We Can Help Prep Your Business Associate Agreements
It’s important that all covered entities and business associates ensure that their business associate agreements comply with the requirements of the Final Rule before the deadline.
If you have any questions about updating your BA agreements or complying with the Final Rule, please contact an attorney at The Law Offices of Craig Dorne P.A. Our lawyers interpret highly complex health care regulations and statutes governing the administration of health services. Contact us today for a consultation!