As we reported previously, back in January of 2013, the Department of Health and Human Services (HHS) issued final regulations modifying and clarifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act (HIPAA).  Group health plans and business associates were generally required to comply with the final regulations by September 23, 2013. 

Transition Period Ending September 22, 2014

In order to relieve covered entities and business associates concerned with the administrative burden and cost of renegotiating existing business associate agreements (BAAs) to implement the new rules, HHS provided a transition period.  BAAs in place as of January 25, 2013 that were not modified or renewed between March 26, 2013 and September 23, 2013 were deemed to comply with the new regulations for up to 12 months. The deemed compliance period ends September 22, 2014.

Under the final regulations, BAAs must provide that the business associate will:

  • Comply with the security rules with respect to electronic PHI;
  • Ensure that any subcontractors agree to comply with the same restrictions and conditions that apply to the business associate;
  • Report security incidents and breaches of unsecured PHI to the covered entity; and
  • To the extent the business associate will carry out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity.

Covered entities should identify their business associates and make sure updated BAAs are in place by September 22, 2014.