View Page As PDF
Share Button
Tweet Button

Deadline is Sept. 23, 2014

Many organizations, whether business associates, covered entities, or contractors/vendors of business associates, have updated their business associate agreements to comply with the Omnibus Rule. However, many others have not. All business associate agreements must be brought into compliance with the Omnibus Rule by Sept. 23, 2014.

Whether you are a covered entity who deals with business associates or a business associate who provides services to covered entities, you should review all of your business associate arrangements to confirm that you have written business associate agreements in place that comply with the HIPAA Privacy and Security Rules as updated by the Omnibus Rule. Start this process by identifying all of your business associate and contractor/vendor relationships.

Background

Under the Omnibus Rule published in early 2013 by the United States Department of Health and Human Services, all business associate agreements must comply with the Omnibus Rule’s requirements, which modified the prior standards for business associate agreements. For purposes of this Alert the term “business associate agreement” will refer to both: (1) an agreement between a covered entity and a business associate and (2) to an agreement between a business associate and a subcontractor who provides services to the business associate. It should be noted that these two agreements will typically contain slightly different provisions.

The deadline for compliance was generally Sept. 23, 2013. There was an exception for written business associate agreements which (1) were in existence prior to Jan. 25, 2013, (2) complied with the HIPAA Privacy and Security Rules as in effect immediately prior to Jan. 25, 2013, and (3) were not subsequently modified or renewed. In the case of those “grandfathered” business associate agreements, the deadline to update the agreement to satisfy the Omnibus Rule is Sept. 23, 2014.

"Battle of the forms"

Although business associate agreements are generally quite similar, there is no standardized “one size fits all” form. There can be significant differences, particularly involving notice requirements, indemnification or damage limitations, and insurance requirements. We regularly encounter situations involving a “battle of the forms” in which the business associate sends the covered entity its standard form, and the covered entity sends the business associate its standard form.

Whether you are a business associate or a covered entity or a contractor/vendor of a business associate, make certain that you understand the terms of any business associate agreement you enter into and appreciate the differences between those provisions which are mandated by law and those in which there is some flexibility and for which there can be alternative provisions. As you review any business associate agreement, consider also the provisions of the underlying agreement that exists pursuant to which the underlying services (e.g., billing or consulting) are provided. Terms contained in the underlying agreement could impact your rights and responsibilities under the business associate agreement.

Timely process

The process for negotiating the updated terms can take time. Start the process now. If we can assist you in the preparation or review of business associate agreements, please let us know.

 

Action steps 

  • Identify all business associate relationships (Click here to view our Healthcare Alert, "Who is a HIPAA business associate?")
  • Inventory and review all business associate agreements for compliance with the current HIPAA Privacy and Security Rule requirements for business associate agreements
  • Amend or replace all business associate agreements that do not comply with Omnibus Rule requirements

 

For more information and to answer your questions, contact:

John T. Mulligan
216.348.5435
jmulligan@mcdonaldhopkins.com

Rick L. Hindmand
312.642.2203
rhindmand@mcdonaldhopkins.com

Jane Pine Wood
508.385.5227
jwood@mcdonaldhopkins.com

Rachel H. Yaffe
312.642.2856
ryaffe@mcdonaldhopkins.com

Healthcare Practice

McDonald Hopkins has a large and diverse healthcare practice, which is national in scope. The firm represents a wide variety of healthcare providers, facilities, vendors, technology companies and associations. Our diverse experience enables us to give our clients a unique perspective on the issues that may confront them in the rapidly evolving healthcare environment.

COMMENT
+