September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule  (the Omnibus Rule), which became effective September 23, 2013. 

The Omnibus Rule’s transition provisions  protect eligible business associate agreements and data use agreements until the deadline. In early 2013, the US Department of Health and Human Services published the Omnibus Rule, which includes a transition provision permitting a covered entity, or a business associate with respect to a subcontractor, to continue to create, receive, maintain or transmit protected health information in reliance on a business associate agreement that complies with the prior rules. A similar transition provision permits a covered entity to continue to transmit a limited data set to a recipient in reliance on a data use agreement that complies with the prior rules. The transition provisions allow covered entities and business associates to operate under the earlier agreements until the deadline.

The transition provisions apply to business associate agreements and data use agreements entered into prior to January 25, 2013 that complied with HIPAA rules then in effect so long as the agreement was not modified between March 26, 2013 and September 23, 2013.

Compliance with the Omnibus Rule requires careful review of existing business associate agreements and inclusion of a number of new requirements including, but not limited to:

  • Compliance with certain provisions of the Security Rule;
  • Business associates obtaining satisfactory assurances from subcontractors that they agree to comply with the Security Rule when they create, receive, maintain or transmit PHI, and that they agree to the same restrictions that apply to the business associate regarding PHI;
  • Business associates must report any security incidents, including breaches of unsecured PHI to the covered entity; and
  • Business associates must comply with the requirements of the Privacy Rule when carrying out any of the covered entity’s obligations under the Privacy Rule.

The federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Accordingly, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.