September 22, 2014 is the deadline to have all business associate and data use agreements updated to conform to the new requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule (Omnibus Rule), which became effective September 23, 2013. Eligible business associate agreements and data use agreements are protected under the transition provisions of the Omnibus Rule until September 22, 2014.

On January 25, 2013, the US Department of Health and Human Services published the HIPAA Omnibus Rule, which includes a  transition provision permitting a covered entity, or a business associate with respect to a subcontractor, to continue to create, receive, maintain or transmit protected health information in reliance on a business associate agreement that complies with the prior rules. A similar transition provision permits a covered entity to continue to transmit a limited data set to a recipient in reliance on a data use agreement that complies with the prior rules. The transition provisions allow covered entities and business associates to operate under the earlier agreements until September 22, 2014.

The transition provisions apply to business associate agreements and data use agreements entered into prior to January 25, 2013 that complied with HIPAA rules then in effect so long as the agreement was not modified between March 26, 2013 and September 23, 2013.

Compliance with the Omnibus Rule requires careful review of existing business associate agreements and inclusion of a number of new requirements including, but not limited to:

  • Compliance with certain provisions of the Security Rule.
  • Business associates obtaining satisfactory assurances from subcontractors that they agree to comply with the Security Rule when they create, receive, maintain or transmit PHI, and that they agree to the same restrictions that apply to the business associate regarding PHI.
  • Business associates must report any security incidents, including breaches of unsecured PHI to the covered entity.
  • Business associates must comply with the requirements of the Privacy Rule when carrying out any of the covered entity’s obligations under the Privacy Rule.

As part of increased enforcement of HIPAA requirements, and in concert with revised penalty provisions under HIPAA, the federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Therefore, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.