The HIPAA "omnibus final rule" (Final Rule) released on January 25, 2013, which amended the requirements for business associate agreements (BAAs) between covered entities and their business associates, included a one-year transition rule. The transition rule permitted entities that had BAAs in place as of January 25, 2013 and that did not amend or renew them between March 26, 2013 and September 23, 2013 to continue operating under their existing BAAs during the one-year transition period, which will end on September 22, 2014..

In order to comply with the HIPAA Privacy and Security Rules and the HITECH Act, which made many HIPAA requirements directly applicable to business associates, all covered entities and business associates that relied on the transition rule are required to amend their BAAs by September 22. Required changes include provisions regarding security breach notification and modified use of and access to individuals’ protected health information (PHI).

A further discussion of the Final Rule may be found here. HIPAA covered entities and their business associates that have not amended their BAAs since January 25, 2013 to comply with the Final Rule should do so before the September 22 deadline because if a data breach or other HIPAA violation occurs, financial penalties will likely be far more severe for those that have not complied.