Only two business days remain for HIPAA covered entities and business associates to update their grandfathered business associate agreements to comply with HIPAA’s Omnibus Rule. Failure to do so could expose the covered entity and its business associate (or business associate and its subcontractor) to penalties for HIPAA noncompliance.
Under the Omnibus Rule published in early 2013 by the United States Department of Health and Human Services, all business associate agreements must comply with the Omnibus Rule’s requirements, which modified the prior standards for business associate agreements. The deadline for compliance was generally September 23, 2013, but there was an exception for written business associate agreements which (1) were in existence prior to January 25, 2013, (2) complied with the HIPAA Privacy and Security Rules as in effect immediately prior to January 25, 2013, and (3) were not subsequently modified or renewed. In the case of those “grandfathered” business associate agreements, the deadline to update the agreement to satisfy the Omnibus Rule is September 22, 2014.
Please see our alert Deadline is fast approaching for business associate agreements to comply with HIPAA's Omnibus Rule for more information.