On January 25, 2013, the U.S. Department of Health and Human Service, Office of Civil Rights (OCR) published an updated version of its sample Business Associate Agreement. This updated version reflects recent changes to the Privacy and Security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) made by the Final Omnibus Rule released on January 17, 2013.1 OCR indicated that, in addition to use between a covered entity and a business associate, the updated Business Associate Agreement can be adapted for use between a business associate and its subcontractors (who are now, as discussed below, also "business associates" per the Final Omnibus Rule). As with its predecessor, use of the new sample Business Associate Agreement is not a requirement for compliance with business associate contractual obligations under HIPAA, but its use should help ensure such compliance.
Certain provisions included in this new version of the sample Business Associate Agreement address security and breach-notification requirements that were not in effect when the initial version was published. For example, the new version includes provisions that address reporting obligations of business associates in the event of security incidents and breaches of unsecured protected health information (PHI). Also included are provisions requiring a business associate to continue to use appropriate safeguards and comply with HIPAA security obligations with respect to any electronic PHI that it retains upon termination of a governing Business Associate Agreement. The new version also contains a number of bracketed suggestions, such as including additional specification concerning a business associate’s breach notification obligations, how a business associate will respond to direct requests by individuals for access to their PHI in designated record sets, how a business associate will respond to direct requests by individuals to amend their PHI or receive an accounting of disclosures of their PHI. Please click here2 for the sample Business Associate Agreement.
The sample Business Associate Agreement is just one piece of the expanded compliance initiatives that covered entities and business associates must undertake in light of the Final Omnibus Rule. Current business associates are now directly subject to the lion’s share of the Privacy and Security rules, and, as such, are also subject to enforcement for noncompliance. They should review their legal risks and implement new and expanded HIPAA compliance policies and procedures. Subcontractors who now find themselves tapped as business associates are likely starting from square one in their HIPAA compliance programs in the face of enforcement penalties that now apply to them. All the links in the PHI "chain of trust" should plan to cooperate so that PHI is protected as it flows down the chain of trust. For example, downstream subcontractor business associate agreements must be at least as stringent as the upstream business associate agreements executed with a covered entity, so coordination among the parties will be required.