• Deadline is Fast Approaching for Business Associate Agreements to Comply with HIPAA's Omnibus Rule
  • July 26, 2014
  • Law Firm: McDonald Hopkins LLC - Cleveland Office
  • Deadline is Sept. 23, 2014

    Many organizations, whether business associates, covered entities, or contractors/vendors of business associates, have updated their business associate agreements to comply with the Omnibus Rule. However, many others have not. All business associate agreements must be brought into compliance with the Omnibus Rule by Sept. 23, 2014.

    Whether you are a covered entity who deals with business associates or a business associate who provides services to covered entities, you should review all of your business associate arrangements to confirm that you have written business associate agreements in place that comply with the HIPAA Privacy and Security Rules as updated by the Omnibus Rule. Start this process by identifying all of your business associate and contractor/vendor relationships.


    Under the Omnibus Rule published in early 2013 by the United States Department of Health and Human Services, all business associate agreements must comply with the Omnibus Rule’s requirements, which modified the prior standards for business associate agreements. For purposes of this Alert the term “business associate agreement” will refer to both: (1) an agreement between a covered entity and a business associate and (2) to an agreement between a business associate and a subcontractor who provides services to the business associate. It should be noted that these two agreements will typically contain slightly different provisions.

    The deadline for compliance was generally Sept. 23, 2013. There was an exception for written business associate agreements which (1) were in existence prior to Jan. 25, 2013, (2) complied with the HIPAA Privacy and Security Rules as in effect immediately prior to Jan. 25, 2013, and (3) were not subsequently modified or renewed. In the case of those “grandfathered” business associate agreements, the deadline to update the agreement to satisfy the Omnibus Rule is Sept. 23, 2014.

    "Battle of the forms"

    Although business associate agreements are generally quite similar, there is no standardized “one size fits all” form. There can be significant differences, particularly involving notice requirements, indemnification or damage limitations, and insurance requirements. We regularly encounter situations involving a “battle of the forms” in which the business associate sends the covered entity its standard form, and the covered entity sends the business associate its standard form.

    Whether you are a business associate or a covered entity or a contractor/vendor of a business associate, make certain that you understand the terms of any business associate agreement you enter into and appreciate the differences between those provisions which are mandated by law and those in which there is some flexibility and for which there can be alternative provisions. As you review any business associate agreement, consider also the provisions of the underlying agreement that exists pursuant to which the underlying services (e.g., billing or consulting) are provided. Terms contained in the underlying agreement could impact your rights and responsibilities under the business associate agreement.

    Timely process

    The process for negotiating the updated terms can take time. Start the process now. If we can assist you in the preparation or review of business associate agreements, please let us know.

    Action steps

    • Identify all business associate relationships

    • Inventory and review all business associate agreements for compliance with the current HIPAA Privacy and Security Rule requirements for business associate agreements

    • Amend or replace all business associate agreements that do not comply with Omnibus Rule requirements