As of September 23, 2014, the HITECH Act Omnibus Final Rule’s grandfather exemption for HIPAA-required business associate agreements (BAAs) has expired. The HITECH Act Final Rule was released by the U.S. Department of Health & Human Services on January 17, 2013, making many changes to BAAs that are required under HIPAA. While all new BAAs were required to be compliant with the new requirements as of September 23, 2013, the HITECH Act Final Rule temporarily grandfathered existing BAAs that were entered into on or before January 25, 2013 and had not been modified after March 26, 2013.
Since the previously exempted BAAs now must be compliant, all HIPAA covered entities, business associates, and business associate subcontractors need to ensure that all of their BAAs are fully compliant with the HITECH Act Final Rule.
This can be an intense time commitment for large entities like large health systems that have numerous BAAs currently in place. In order to make sure all BAAs are properly updated or replaced, a good practice would be to conduct an inventory of all current BAAs—including BAAs in which the provider is the covered entity and BAAs in which the provider is a business associate or subcontractor. This inventory can then be used to determine which BAAs still need to be modified by an amendment or replaced with the entity’s revised form BAA. This may also be a good opportunity to consider whether the protections and restrictions in the form BAA go far enough in protecting individual’s information.
Additionally, entities should review all business relationships to ensure they have a BAA in place where one is required under HIPAA. Existing business relationships may not have previously required a BAA but do now under the HITECH Act Final Rule’s expansion of the definition of “business associate.” One key change to the definition of “business associate” is the inclusion of subcontractors of business associates that deal with PHI.
Another key change is that entities that merely “maintain” PHI on behalf of a covered entity or business associate are now required to enter into a BAA. However, covered entities are not required to enter into BAAs with downstream subcontractors. Instead the business associate who contracts with the subcontractor must enter into a BAA with the subcontractor.
If an entity has not yet updated its form BAA to comply with the HITECH Act Final Rule, HHS has provided compliant BAA provisions on its website. However, a full form of BAA has not yet been provided by HHS.