Deadline September 22, 2014
By Matt Fisher, Esq
Twitter: @matt_r_fisher
The much anticipated HIPAA Omnibus Rule was published by the Department of Health and Human Services on January 23, 2013. For the most part, covered entities, business associates and subcontractors were required to comply with the changes affected by the Omnibus Rule by September 23, 2013. However, certain Business Associate Agreements were “grandfathered” by the Omnibus Rule and did not need to be updated last year.
To be grandfathered, a Business Associate Agreement had to meet the following conditions: (i) a written business associate agreement or otherwise compliant agreement was in place and effective as of January 25, 2013, and (ii) the pre-existing contract was not renewed or modified between March 26, 2013 and September 23, 2013. If those circumstances existed, then no immediate changes were required in 2013.
The grandfather, or holdover period is quickly coming to an end though. By regulation, all Business Associate Agreements must meet the new requirements as of September 22, 2014. Accordingly, do not delay and review all Business Associate Agreements that are in place and have not been updated since promulgation of the Omnibus Rule.
The upcoming deadline also offers covered entities the opportunity to reassess operations yet again and determine whether all required Business Associate Agreements are in place. For instance, have all cloud providers that store a healthcare entity’s data executed a Business Associate Agreement? Covered entities must take an honest and complete assessment of operations to ensure that necessary agreements are in place.
What should be done though? After assessing the status of all agreements, either the covered entity or business associate should proactively reach out and open discussions to update the Business Associate Agreement. Whether the Business Associate Agreement is completely rewritten or just amended will be up to the parties though.
When updating the Business Associate Agreements, do not forget to check the Omnibus Rule for new requirements. For example, ensure that subcontractors comply with the same restrictions and conditions as the business associate and requiring a business associate to comply with the requirements that s covered entity is subject to the extent the business associate carries out the covered entity’s obligations.
Remember, September 22nd is right around the corner. Don’t wait to update your Business Associate Agreements.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.