ARTICLE
3 September 2014

Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms

FH
Foley Hoag LLP

Contributor

Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations.
United States Privacy

It's been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.

September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.

Specifically, compliance was required 180 days following the HIPAA Omnibus Rule's effective date (3/26/13); that initial deadline was September 23, 2013. Additional time was provided for covered entities to enter into updated business associate agreements under certain circumstances, e.g., if the then-existing BAA complied with prior HIPAA rules, the parties to the BAA had an additional year to bring their BAAs into compliance with new Omnibus Rule. That grandfathering will soon come to an end.

If you already updated your BAAs to be consistent with the Omnibus Rule, there's nothing more to do right now (although it never hurts to review your agreements and to make sure you have BAAs where they are needed.)

As you revisit your BAAs, look at some of the elements to see if they can be made more favorable, including the following types of provisions:

  • breach notification timing;
  • ownership of data;
  • mitigation and breach response obligations;
  • indemnification;
  • insurance; and
  • incorporation of other federal and parallel state data security standards.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More