The U.S. Department of Health & Human Services (“HHS”) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.

As of that date, business associate agreements must require that business associates:

  • Comply with the security rules with respect to electronic PHI;
  • Obligate all subcontractors to comply with the same restrictions and conditions that apply to the business associate;
  • Report security incidents and breaches of unsecured PHI to the covered entity; and
  • To the extent the business associate will carry out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity.

If you are a covered entity, you must now identify your business associates and update business associate agreements by Sept. 22, 2014.