Compliance Deadline Looms for HIPAA Business Associate Agreements

On January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the “omnibus” final rule  (“Final Rule”) which made additional amendments to the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As a result of the Final Rule, HIPAA covered entities and business associates have been required to update their business associate agreements (“BAA”).

Please note that September 23, 2014 – an important compliance deadline – looms on the horizon for those BAA which were “grandfathered” by HHS under the Final Rule because the BAA (1) existed prior to January 25, 2013, (2) complied with the original BAA requirements set out in 45 CFR 164.503(e), and (3) were not otherwise renewed or modified since September 23, 2013, the Final Rule’s original compliance deadline. 

Therefore, we urge all HIPAA covered entities and business associates to make every effort to update these BAA to incorporate the new Final Rule requirements on or before the September 23, 2014 compliance deadline.  If you have any questions or require assistance with these matters, please contact Meghan McNab at mmcnab@kdlegal.com or Susan Ziel at sziel@kdlegal.com.