The required compliance dates for revising business associate agreements (“BAA”) between covered entities and business associates, or business associates with subcontractors, respectively, to reflect the new requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) “omnibus” regulations issued on January 17th, 2013 (the “Final Rules”) are approaching. As a reminder, the “transition” rules with respect to such revisions are briefly summarized below:
- If, prior to January 25, 2013, the covered entity or business associate had in effect an existing BAA with a business associate or subcontractor, respectively, that complied with the prior provisions of the HIPAA Privacy and Security Rules, and such BAA was not renewed (except by automatic renewal pursuant to its terms) on or after March 26, 2013, then the BAA is considered “grandfathered” for one year and may continue to be used without modification until the earlier of (i) the date after September 23, 2013 on which the BAA is renewed or modified, or (ii) September 23, 2014.
- If a BAA existed on January 25, 2013, but is renewed (without automatic renewal pursuant to its terms) or otherwise modified prior to September 23, 2014, the BAA must be revised to comply with the new requirements of the Final Rule as of September 23, 2013.
- If a new BAA is entered into after January 25, 2013, the terms of that BAA must comply with the new requirements of the Final Rules as of September 23, 2013.
These compliance dates apply only to the technical requirement to amend BAAs; they do not affect the effective date of the compliance obligations of business associates and subcontractors under the HIPAA Privacy and Security Rules, which continues to be September 23, 2013.
For more information on the requirements of the Final Rule, please see our “DW Healthcare Legal News Archive” which is accessible through our DW Health Law Blog, at www.dwhealthlawblog.com.