Covered entities and business associates who have relied on "grandfathered" business associate agreements (BAAs) are required to update all BAAs to satisfy the new Health Insurance Portability and Accountability Act of 1996 (HIPAA) BAA requirements by September 22, 2014. The following questions and answers will help you better understand what is required and how you can remain HIPAA compliant.
What is a "grandfathered" BAA? On January 25, 2013, the Department of Health and Human Services (HHS) published regulations implementing a number of modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (together, the "Final Rules"). One of these modifications included new requirements for BAAs. To allow covered entities and business associates time to implement the new BAA requirements, HHS grandfathered BAAs that were in effect prior to January 25, 2013 until the earlier of (i) the date on which the existing BAA was renewed or modified, or (ii) September 22, 2014.
What new requirements need to be added to "old" BAAs under the Final Rules? BAAs should now include language obligating the business associate to comply with the Security Rule. The following additional Privacy Rule requirements also should be added:
- Business associates must ensure that their subcontractors agree, in writing, to the same restrictions and conditions regarding protected health information (PHI) that the business associate agrees to in the BAA. Note: Language indicating that the subcontractor will agree to similar or substantially similar restrictions and conditions is no longer sufficient to comply.
- If the business associate is to perform any of the covered entity's obligations under the Privacy Rule, the BAA must provide that the business associate will also comply with all of the Privacy Rule's requirements of the covered entity that pertain to those obligations.
Lastly, although covered entities are responsible for reporting breaches of unsecured PHI to the HHS Office of Civil Rights (OCR), BAAs should include language addressing when and how the business associate should report potential breaches to the covered entity.
What contracted services now trigger the need to have a baa in place? The Final Rules expanded the definition of "business associate" to include all entities that create, receive, maintain or transmit PHI on behalf of a covered entity, including subcontractors to whom a business associate delegates a function, activity or service. Thus, a document or data storage company that stores PHI on behalf of a covered entity or business associate is considered a business associate, even if the entity does not actually view any PHI. As a result, covered entities and business associates now need to have a BAA in place with certain software service providers and paper records storage companies, as well as other vendors, although this was not previously required.
What should i do to comply? Create a list of vendors that perform services that require a BAA and ensure all such vendors have executed an updated BAA. The Health Care team at Reinhart Boerner Van Deuren s.c. is available to assist you in reviewing, renegotiating or amending your BAAs before the September 22, 2014 deadline, as well as to consult with you to identify whether you or your business partner falls within the new definition of a business associate.