The deadline for business associate agreements (BAAs) to be in compliance with the Omnibus Rule is Sept. 23, 2014. The Omnibus Rule was published in early 2013 by the U.S. Department of Health and Human Services, and it amended the Privacy, Security, Breach Notification and Enforcement Rules that were previously issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Omnibus Rule expanded those HIPAA obligations that business associates are subject to, as well as the requirements applicable to BAAs. Existing agreements must be amended to incorporate new standards.
Explore This Issue
September 2014Although most BAAs were required to comply with the Omnibus Rule by Sept. 23, 2013, there was an exception for those HIPAA-compliant BAAs in existence prior to Jan. 25, 2013, which extended the deadline by a year.
Negotiation Considerations
Under the Omnibus Rule, the stakes are higher for all parties in negotiating the terms of a BAA. Although BAAs are often similar, there is no standardized form. There can be significant differences, including the notice requirements, indemnification or damage limitations, and insurance requirements. The nuances in each agreement could have a significant impact down the road, so treat each one as a unique circumstance that is worth reading carefully.
Whether you are a business associate, a covered entity or a contractor/vendor of a business associate, make certain that you review and are comfortable with the terms of any BAA you enter into and appreciate the differences between those provisions that are mandated by law and those for which there can be some flexibility to propose alternative language if it is less than favorable to you. As you review any BAA, also consider any underlying services agreement that exists, because terms contained in that agreement could affect your rights and responsibilities under the agreement.
The issue of whether a particular arrangement triggers business associate status (and therefore the need for a BAA) can result in tension between parties. Such disputes are likely to arise with increasing frequency due to the expanded business associate obligations and potential liabilities under the HIPAA rules. Some covered entities are requiring all vendors to sign a BAA, rather than analyzing if a particular vendor qualifies as a business associate. If you have evaluated and confirmed that you are not a business associate in a particular circumstance, but are still asked to sign a BAA, it’s important to consider the impact of signing the agreement. If you are not a business associate and sign the agreement, you are now obligated to comply with the terms of the BAA and, in most cases through the agreement terms, the HIPAA rules in their entirety. As a covered entity, a healthcare provider who transmits any health information in electronic form would already be required to comply with the HIPAA rules. However, signing a BAA would typically require the business associate to comply with reporting and documentation obligations to the covered entity, which could be time consuming and costly.
Anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations, even if no BAA is signed.
Review Existing Relationships
If you are a covered entity, this would be a good opportunity to take a fresh look at your contractor and vendor relationships to confirm that those functioning as business associates have in fact signed a HIPAA-compliant BAA. Entities that function as business associates should do the same. Further, parties to any contract or other arrangement involving protected health information (PHI) should review their arrangements.