ARTICLE
29 January 2013

OCR Releases Sample Business Associate Agreement Provisions

M
Mintz

Contributor

Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements.
United States Privacy

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements. In addition to previously required provisions, business associate agreements must now include provisions that require business associates to:

  • ♣ comply with the HIPAA Security Rule requirements;
  • ♣ report any security breach to the covered entity;
  • ♣ enter into a business associate agreement with any subcontractor that receives the covered entity's protected health information ("PHI"); and
  • ♣ comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI.

As we noted in our HIPAA Omnibus reference chart, the HIPAA Omnibus Rule expanded the definition of "business associate" to include subcontractors. This change means that covered entities must obtain satisfactory assurances in the form of business associate agreements from their business associates, and that business associates must do the same with regard to subcontractors who receive PHI. OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor.

The template provisions are a helpful starting point, but additional revisions are advisable. For example, detail regarding notification and mitigation in the event of breach should be added. Indemnification has also become a common business associate provision in light of HITECH's increased monetary penalties.

Covered entities and business associates have until September 22, 2014 to make any necessary changes to business associate agreements. Any existing agreement modified after the September 23, 2013 Omnibus Rule effective date must include any previously omitted provisions.

For further information on the impact of the HIPAA Omnibus Rule, please register for our January 30 webinar, The New HIPAA Omnibus Rule & Your Liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More