- Business Associate Agreements May Require Amendment
- September 4, 2014 | Author: Jeffrey S. Ashendorf
- Law Firm: Ford & Harrison LLP - New York Office
The Omnibus Final Rule (the "Omnibus Rule") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), was issued in January, 2013 effective March 26, 2013, but with a general compliance deadline of September 23, 2013. Compliance with the Omnibus Rule required changes to many HIPAA compliance practices and related documents, including business associate agreements, the HIPAA notice of privacy practices and breach assessment policies and procedures.
With respect to business associate agreements, however, the Omnibus Rule included transition relief that allowed certain health plans an extended transition period within which to make necessary changes to their business associate agreements if certain conditions were met.
In order for a business associate agreement to qualify for the transition relief, the agreement must have been entered into prior to January 25, 2013 (the date the Omnibus Rule was issued) and the agreement must not have been modified or renewed between January 25, 2013, and September 22, 2013.
That transition relief expires on September 23, 2014 or upon the earlier modification or renewal of the agreement. This means that, as of September 23, 2014, all business associate agreements that have not been modified or renewed, or that have not already been updated, must be amended as necessary to reflect the changes made by the Omnibus Rule requirements. Therefore, covered entities - and their business associates - should review their business associate agreements to ensure that they have all been properly updated.
Some changes made by the Omnibus Rule that may require changes to be made to business associate agreements may include:
- an updated definition of "protected health information" ("PHI"), as well as limitations on using PHI for marketing purposes;
- requiring business associates to comply with the HIPAA Security Rule;
- imposition of breach identification and reporting obligations; and
- changes in the forms in which documents are required to be provided in response to a request for PHI.
- updated provisions applicable to subcontractors of the business associate.