The Omnibus HIPAA Rulemaking in January 2013 grandfathered business associate agreements then in effect for a specified period of time. 78 Fed Reg 5566, 5602 (January 25, 2013). Many covered entities, and business associates with subcontractor business associates, already have amended their agreements to come into compliance. Others have not. The final deadline to revise noncompliant agreements is September 23, 2014.

We encourage covered entities to review business associate agreements to ensure their compliance with the revised HIPAA rules prior to the deadline. While not obligatory, we also suggest documenting reminders to business associates of their obligation to have compliant business associate agreements in place with business associate subcontractors receiving protected health information.