The deadline for business associate agreements (BAAs) to be in compliance with the Omnibus Rule is Sept. 23, 2014. The Omnibus Rule was published in early 2013 by the U.S. Department of Health and Human Services, and it amended the Privacy, Security, Breach Notification and Enforcement Rules that were previously issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Omnibus Rule expanded those HIPAA obligations that business associates are subject to, as well as the requirements applicable to BAAs. Existing agreements must be amended to incorporate new standards.
Explore this issue:September 2014
Although most BAAs were required to comply with the Omnibus Rule by Sept. 23, 2013, there was an exception for those HIPAA-compliant BAAs in existence prior to Jan. 25, 2013, which extended the deadline by a year.
Under the Omnibus Rule, the stakes are higher for all parties in negotiating the terms of a BAA. Although BAAs are often similar, there is no standardized form. There can be significant differences, including the notice requirements, indemnification or damage limitations, and insurance requirements. The nuances in each agreement could have a significant impact down the road, so treat each one as a unique circumstance that is worth reading carefully.