• E-mail
• Print
• RSS

Reassess BAAs to ensure omnibus rule compliance

HIM-HIPAA Insider, September 8, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The September 23, 2014 deadline to revise business associate agreements (BAA) may have seemed like a date far into the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is just around the corner as we continue to move along the road toward establishing and maintain compliance with the HIPAA privacy and security rules.

This date in September is notable because many organizations—both covered entities (CE) and business associates (BA)—find themselves dealing with the need to update or revise their BAAs. CEs were allowed to use existing BAAs for an additional year following the September 23, 2013 omnibus rule compliance date. Essentially, this meant that BAAs in place prior to January 25, 2013, which were not going to expire prior to September 23, 2013, could continue to be used until September 23, 2014. This gave BAs and CEs 18 months to determine what changes were needed to comply with the omnibus rule and then update or revise their BAAs accordingly. Despite the window of opportunity to address the issue of updating BAAs, it seems from my perspective that the majority of activity related to this task began occurring about a month or so before September 23, 2014.

HHS posted a sample BAA on its website January 25, 2013. In the second paragraph of the introduction, HHS lists 10 items that must be included in the written contract between a CE and its BA. Even though CEs and BAs may have recently updated their BAA in time for the compliance date, I believe it is worth the time to review these updated agreements and ensure they include the requirements identified in the HIPAA omnibus final rule.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive