View Page As PDF
Share Button
Tweet Button

Deadline is Sept. 22, 2014

Many organizations (e.g., business associates, covered entities, contractors/vendors of business associates) have updated their business associate agreements to comply with HIPAA’s Omnibus Rule. However, many organizations still have not. Please be aware that all business associate agreements must be brought into compliance with the HIPAA Omnibus Rule by Sept. 22, 2014. 

Whether you are a covered entity who deals with business associates or a business associate who provides services to covered entities, you should review all of your business associate arrangements to confirm that you have written business associate agreements in place that comply with the HIPAA Privacy and Security Rules, as updated by the Omnibus Rule. Start this process by identifying all of your business associate contractor/vendor relationships and, if you are a business associate, any contractor/vendor relationships you have which involve your disclosure of protected health information (PHI). 


Under the Omnibus Rule published in early 2013 by the United States Department of Health and Human Services, all business associate agreements must comply with the Omnibus Rule’s requirements, which modified the prior standards for business associate agreements. For purposes of this Alert, the term “business associate agreement” will refer to both:

  1. An agreement between a covered entity and a business associate and
  2. An agreement between a business associate and a subcontractor who provides services to the business associate. It should be noted that these two agreements will typically contain slightly different provisions.

The deadline for compliance was generally Sept. 23, 2013. However, there was an exception for written business associate agreements which (1) were in existence prior to Jan. 25, 2013, (2) complied with the HIPAA Privacy and Security Rules as in effect immediately prior to Jan. 25, 2013, and (3) were not subsequently modified or renewed. In the case of those “grandfathered” business associate agreements, the deadline to update the agreement to satisfy the Omnibus Rule is Sept. 22, 2014.

"Battle of the forms"

Although business associate agreements are generally quite similar, there is no standardized “one size fits all” form. There can be significant differences, particularly involving notice requirements, indemnification or damage limitations, and insurance requirements. We regularly encounter situations involving a “battle of the forms” in which the business associate sends the covered entity its standard form, and the covered entity sends the business associate its standard form. 

Whether you are a business associate, a covered entity or a contractor/vendor of a business associate, make certain that you understand the terms of any business associate agreement you enter into and appreciate the differences between those provisions which are mandated by law and those in which there is some flexibility and for which there can be alternative provisions. As you review any business associate agreement, consider also the provisions of the underlying agreement pursuant to which the underlying services (e.g., billing or consulting) are provided. Terms contained in the underlying agreement could impact your rights and responsibilities under the business associate agreement and vice versa. 

Timely process

Take action now. There are less than three weeks left until the deadline. If we can assist you in the preparation or review of business associate agreements, please let us know.




Action steps  

  • Identify all business associate relationships (Click here to view our Healthcare Alert, "Who is a HIPAA business associate?")
  •  Inventory and review all business associate agreements for compliance with the current HIPAA Privacy and Security Rule requirements for business associate agreements
  •  Amend or replace all business associate agreements that do not comply with Omnibus Rule requirements