Under the Final Omnibus Rule issued earlier this year by the Department of Health and Human Services, “covered entities” as defined by HIPAA must update their business associate agreements with their business associates. Generally, the deadline is September 23, 2013. Business associates that utilize the services of what are considered to be downstream contractors who provide services to the business associate, and to which the business associate discloses a covered entity’s protected health information, must enter into or update agreements with the downstream contractors that comply with the new requirements.
There is one exception to this deadline: Written business associate agreements which were (1) in place prior to January 25, 2013, and (2) complied with the HIPAA privacy and security rules as in effect prior to January 25, 2013, and were not thereafter modified or renewed, do not need to be updated until September 23, 2014.
An individual or entity is considered a “covered entity” subject to HIPAA requirements if it is a health care provider, a health plan or a health care clearinghouse. Under the HIPAA regulations, a “health care provider” is a “provider of medical or health services . . . and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” Subject to certain exceptions, a “health plan” is “an individual or group plan that provides or pays the cost of medical care . . . .” Included in the definition of “health plan” is a “group health plan,” which, again subject to certain exceptions, is “an employee welfare benefit plan . . . to the extent that the plan provides medical care . . . including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise . . . .”
Click here to view our previous alert, "Who is a HIPAA business associate"?
In summary, by September 23, 2013 the following must happen unless the one year extension referred to above applies:
- If you are a covered entity, make sure that you have an updated business associate agreement that complies with the Final Omnibus Rule with all business associates.
- If you are a business associate, make sure you have an updated business associate agreement with all covered entities for whom you provide business associate services, and that you have an updated agreement in place with any downstream subcontractor to which you provide protected health information.
- If you are a downstream subcontractor, make sure that you have an updated agreement in place with all business associates for which you provide services and from whom you receive protected health information.