As you may recall, new provisions of the HIPAA regulations went into effect on September 23, 2013. Included were new requirements for Business Associate (BA) Agreements. The new regulations, however, grandfathered certain existing BA Agreements until September 23, 2014. Therefore, if you have not amended your BA Agreements to date, you must do so now! Your BA Agreements must include provisions for the following:

  • The BA must comply with the requirements of the HITECH Act, the Security Rule, as well as the applicable sections of the Privacy Rule.
  • The BA must comply with the "minimum necessary" standard.
  • The BA must promptly report to the Covered Entity any breaches of unsecured PHI, plus any use or disclosure of PHI in violation of HIPAA.
  • The BA must have a HIPAA-compliant BA Agreement with each of its subcontractors (and each subcontractor of a subcontractor, if applicable).
  • If the BA will carry out functions of the Covered Entity (e.g., providing access or copies of PHI to individuals), the BA must perform these functions in accordance with HIPAA.
  • If the BA maintains records in an electronic format, it will account for ALLdisclosures for at least a 3-year period.
  • The BA will abide by requirements not to disclose data to insurers and other health plans if the patient pays for the service in full and requests confidentiality.

If you haven’t received an amendment from your BA, then contact your BA now and discuss the amendments needed and the deadline for compliance. If you do receive an amendment, review it carefully to ensure that the BA hasn’t inserted additional terms unrelated to HIPAA or which go beyond the new requirements.  

Remember – you cannot disclose PHI to a BA without a HIPAA-compliant BA Agreement.