On January 25, 2013, the same day that the HIPAA Omnibus Final Rule was published in the Federal Register, the Department of Health and Human Services (HHS) released a new, updated version of its sample Business Associate Agreement.
The HHS sample Business Associate Agreement includes changes to reflect the provisions of the HITECH Act and the Omnibus Final Rule.
While this HHS sample Business Associate Agreement is helpful to review, covered entities should note that it is not recommended that they use this HHS sample Business Associate Agreement without modifications. As HHS explains: “This is only sample language and use of these sample provisions is not required for compliance with the HIPAA Rules. The language may be changed to more accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor.” Further, HHS also notes: “Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.”
Covered entities will almost certainly need to revise their Business Associate Agreements based on the changes in the Omnibus Final Rule. However, covered entities have ample time to make these revisions: Business Associate Agreements will need to be revised by September 23, 2013, however, those that were in place as of January 25, 2013, and which are not renewed or amended thereafter, are grandfathered for an extra year and must be revised by September 23, 2014.
We will be issuing a more detailed analysis of the Omnibus Final Rule revisions affecting Business Associates and Business Associate Agreements as part of our ongoing e-alert series on the Omnibus Final Rule, all of which are available in the links provided below.
This joint e-alert from Bricker &Eckler LLP and INCompliance