The deadline for business associate agreements (BAAs) to be in compliance with the Omnibus Rule is Sept. 23, 2014. The Omnibus Rule was published in early 2013 by the U.S. Department of Health and Human Services, and it amended the Privacy, Security, Breach Notification and Enforcement Rules that were previously issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Omnibus Rule expanded those HIPAA obligations that business associates are subject to, as well as the requirements applicable to BAAs. Existing agreements must be amended to incorporate new standards.
Although most BAAs were required to comply with the Omnibus Rule by Sept. 23, 2013, there was an exception for those HIPAA-compliant BAAs in existence prior to Jan. 25, 2013, which extended the deadline by a year.
Under the Omnibus Rule, the stakes are higher for all parties in negotiating the terms of a BAA. Although BAAs are often similar, there is no standardized form. There can be significant differences, including the notice requirements, indemnification or damage limitations, and insurance requirements. The nuances in each agreement could have a significant impact down the road, so treat each one as a unique circumstance that is worth reading carefully.
Whether you are a business associate, a covered entity or a contractor/vendor of a business associate, make certain that you review and are comfortable with the terms of any BAA you enter into and appreciate the differences between those provisions that are mandated by law and those for which there can be some flexibility to propose alternative language if it is less than favorable to you. As you review any BAA, also consider any underlying services agreement that exists, because terms contained in that agreement could affect your rights and responsibilities under the agreement.
The issue of whether a particular arrangement triggers business associate status (and therefore the need for a BAA) can result in tension between parties. Such disputes are likely to arise with increasing frequency due to the expanded business associate obligations and potential liabilities under the HIPAA rules. Some covered entities are requiring all vendors to sign a BAA, rather than analyzing if a particular vendor qualifies as a business associate. If you have evaluated and confirmed that you are not a business associate in a particular circumstance, but are still asked to sign a BAA, it’s important to consider the impact of signing the agreement. If you are not a business associate and sign the agreement, you are now obligated to comply with the terms of the BAA and, in most cases through the agreement terms, the HIPAA rules in their entirety. As a covered entity, a healthcare provider who transmits any health information in electronic form would already be required to comply with the HIPAA rules. However, signing a BAA would typically require the business associate to comply with reporting and documentation obligations to the covered entity, which could be time consuming and costly.
Anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations, even if no BAA is signed.
Review Existing Relationships
If you are a covered entity, this would be a good opportunity to take a fresh look at your contractor and vendor relationships to confirm that those functioning as business associates have in fact signed a HIPAA-compliant BAA. Entities that function as business associates should do the same. Further, parties to any contract or other arrangement involving protected health information (PHI) should review their arrangements.
Business associates that engage downstream contractors to provide services to (or on behalf of) the business associate and that will have access to a covered entity’s PHI must also enter into or update agreements with those downstream contractors. Anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations, even if no BAA is signed. Therefore, it’s important for both covered entities and business associates to identify those relationships implicating HIPAA and satisfy the HIPAA rules in connection with those relationships.
The initial question: Are you functioning as a covered entity or business associate? A covered entity under HIPAA is a healthcare provider that transmits health information in electronic form, a health plan or a healthcare clearinghouse (which includes certain medical billing companies that process and submit claims to health plans). Generally, an individual (other than a member of the covered entity’s workforce) or organization that performs or furnishes any function, activity or service, for or on behalf of a covered entity involving the use or disclosure of PHI, is considered a business associate. The Omnibus Rule also added new categories of business associates, including those who store or otherwise maintain PHI and certain subcontractors of business associates. Functions or activities that are performed on behalf of a covered entity by a business associate include claims processing or administration, billing, accounting and consulting. The HIPAA rules also specifiy certain individuals and entities that are not business associates.
Entities that generate or have access to PHI should have in place a process to ensure that potential new arrangements and existing relationships are evaluated and BAAs are executed when necessary. The process for negotiating a BAA can be time consuming, and Sept. 23, 2014, is right around the corner, so the time to start negotiations is now.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. He may be reached at email@example.com