The HIPAA Omnibus Rule, enacted last year, made a number of changes to the HIPAA privacy, security and breach notification rules. Some of these changes affected business associate provisions of the HIPAA privacy and security rules and required amendment of existing business associate agreements (“BAAs”).

Although compliance with the Omnibus Rule was required as of September 23, 2013, the Omnibus Rule “grandfathered” certain BAAs that were in effect as of January 25, 2013. Under the grandfathering provisions, those BAAs needed to be amended to comply with the Omnibus Rule by September 22, 2014 (or earlier, if the BAA was renewed or revised after September 23, 2013). While this transition period has been a welcome provision providing health care organizations with time to bring existing BAAs into compliance with the Omnibus Rule, it is important to remember that the transition period is expiring in two weeks and all BAAs must be compliant with the Omnibus Rule by September 22, 2014.

Some of the key provisions that must be included in the BAAs under the Omnibus Rule include:

  • Specifying that the business associate must comply with the HIPAA security rules,
  • Requiring the business associate to notify the covered entity regarding breaches of unsecured protected health information,
  • Updating the provisions related to subcontractors, and
  • Indicating that to the extent the business associate is to perform any of the covered entity's obligations under the HIPAA privacy rule, the business associate will also comply with all of such rule’s requirements that apply to the covered entity.

In addition to including in BAAs provisions required by the Omnibus Rule, the parties may also choose to add provisions that would clarify the various responsibilities of the parties from a business perspective (for example, addressing financial responsibility in the event of a breach of unsecured protected health information).

Given the upcoming compliance deadline and the heightened enforcement of the HIPAA rules, it is important that covered entities identify all vendors that are considered to be a business associate and ensure that Omnibus Rule compliant BAAs are in place with all business associates by September 22, 2014.