Deadline Drawing Near for Business Associate Agreement Updates

HIPAA covered entities (CE) only have until September 23, 2014 to complete the Business Associate Agreement updates as demanded by the HIPAA Omnibus Rule. The Omnibus Rule demands that Business Associate Agreement updates should have been made by September 23, 2013; however a final compliance date was also issued to cover BAA’s that had not been renewed before last year’s deadline.

Any CE that has not yet updated BAAs must do so in the next three weeks; however the task is not a quick and easy one as there are a number of Business Associate Agreement updates that must be made to pre-Omnibus Rule BAAs to ensure that compliance is maintained.

The Omnibus Rule extended HIPAA to cover not just Business Associates but also any subcontractors that they use. The BA must ensure that if subcontractors are used, that they too agree to abide by HIPAA Rules covering the privacy and security of Protected Health Information. This means that the Business Associate and the subcontractor must also enter into a BAA, and that documentation should be maintained by the Business Associate. If a subcontractor is used, a BAA between the subcontractor and the CE is not required.

BAAs must be in place before any PHI is transferred, and that applies to CEs and their BAs and BAs and their subcontractors. The subcontractor is the sole responsibility of the BA, not the covered entity that the BA is working for. It is important that any subcontractor BAA reflects the detail in the BAA that was signed between the BA and the CE, and must offer at least the same level of protection for PHI.

It is important to remember the new definitions which include not only subcontractors working for a BA, but also any software or e-prescribing gateways that have potential to contact or touch PHI.

HIPAA-covered entities are also required to update the terms of the BAA and stipulate the actions that the BA must take in order to protect PHI. These physical, administrative and technical safeguards – as laid down in the Security Rule – must be detailed in the BAA, along with the rules covering the use and disclosure of PHI.

Should any irregularities in the BAAs be discovered by the Office for Civil Rights, such as if Business Associate Agreements updates have not been made, the Business Associate and the covered entities could be deemed to be non-compliant, and both could be issued with a financial penalty. The penalties for HIPAA violations can rise to $1.5 million per violation.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of