If they have not already done so, covered entities and business associates have until September 23, 2014, to update their business associate agreements to comply with the January 2013 changes to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
As we reported last year, the January 2013 omnibus final rule (the “Rule”) extended the reach of HIPAA to a broad range of entities that were not previously covered, by expanding the definition of “business associate” to include downstream subcontractors and certain other entities. Among other things, the Rule also expanded the required elements of business associate agreements to include provisions requiring that business associates:
- Comply, where applicable, with the Security Rule with regard to electronic protected health information;
- Report breaches of unsecured protected health information to covered entities; and
- Ensure that any subcontractors that create or receive protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate.
Business associates became directly liable for violations of such provisions, with maximum civil fines of up to $1.5 million per year. View our earlier posting about the Rule and its requirements.
In adopting the Rule, the Department of Health and Human Services (“DHHS”) proposed transition provisions to allow covered entities and their business associates to continue to operate – including by disclosing protected health information and creating or receiving protected health information on behalf of the covered entity consistent with HIPAA – under certain existing contracts for up to one year beyond the initial compliance date under the Rule. The transition provisions were available where the parties had an existing written contract or other written arrangement that complied with HIPAA and its implementing regulations in effect prior to January 25, 2013, so long as the contract or arrangement was not otherwise renewed or modified between March 26, 2013 and September 23, 2013. With respect to business associates and their subcontractors, the Rule grandfathered existing written agreements that complied with the applicable provisions of HIPAA in effect prior to the Rule, including 45 CFR 164.504(e)(2)(ii)(D) (which provision required the business associate to ensure that its agents with access to protected health information agree to the same restrictions and conditions that apply to the business associate).
DHHS agreed to deem such pre-existing contracts compliant with the Rule until either the covered entity or business associate, as applicable, renewed or modified the contract or September 22, 2014, whichever is earlier. Contracts with an automatic or “evergreen” renewal provision would also continue to be deemed compliant, regardless of any automatic renewal during the transition period. The transition provisions only applied to the requirement to amend contracts. They did not affect any other compliance obligations under HIPAA. That is, a business associate is not allowed to use or disclose protected health information in a manner that is contrary to HIPAA, even if its agreement with a covered entity has not yet been amended.