HIPAA business associate agreements: Update deadline approaches

September 3, 2014

Healthcare providers who share HIPAA-protected health information with certain service providers must update their written agreements by September 22, 2014.

Ned MilenkovichHealthcare providers such as pharmacies, health plans, and healthcare clearinghouses that share protected health information with an entity providing certain services (so-called “business associates”), must have a written agreement that complies with HIPAA’s requirements before any patient-related information is shared. 

Business associates who use protected health information might perform such services as legal, actuarial, accounting, claims processing, utilization review, data analysis, quality assurance, and consulting.

For example, a pharmacy might need business associate contracts with companies that shred and store documents containing patient health information. Or a pharmacy might contract with a health information organization that manages the exchange of protected health information through a network on behalf of many covered providers.

Larger organizations, such as electronic medical records companies, may have hundreds of business associate contracts that require review and revision to ensure compliance with federal regulations.

 

Timelines

In 2013, the Department of Health and Human Services (HHS) issued its omnibus final rule, which required updates to contracts between providers, plans, or clearinghouses and their business associates.

The 2013 rule also made business associates (including subcontractors) of providers, plans, and clearinghouses directly liable for noncompliance with HIPAA’s updated privacy and security requirements. Now, business associates are subject to civil and criminal penalties for HIPAA violations, such as improper use or disclosure of protected health information.

HHS provided different timelines for incorporating the 2013 HIPAA requirements into business associate agreements. The deadlines for updating business associate agreements depend on three factors: the date the agreement was created; whether it complied with HIPAA’s requirements at the time; and whether it was renewed or modified.

However, even if a provider, plan, or clearinghouse and its business associate had a grandfathered contract that was deemed compliant by HHS, the business associate was still required to comply with the new 2013 regulatory safeguards for protected health information.

 

Extension

Though many business associate contracts required updates by September 2013, HHS extended the compliance deadline to September 22, 2014, for certain agreements entered into before HHS issued its final rule. If a healthcare provider (such as a pharmacy) had a HIPAA business associate agreement in place before January 25, 2013, which complied with the law at the time and was not renewed or modified between March and September 2013, then HHS provided a transition period that “deemed compliant” the agreement until it was renewed or modified, or until September 22, 2014. 

For example, if a pharmacy had a contract with a business associate for 2012-2015, the contract contained HIPAA business associate language that complied with the law as of 2012, and the contract was not renewed, modified, or amended since 2012, HHS has stated that such a contract would be deemed compliant until September 22, 2014.

Less than a month

Providers, plans, and clearinghouses that share protected health information with business associates now have less than a month to update agreements created before January 25, 2013.

The extended compliance period that HHS provided for grandfathered contracts between covered entities and business associates expires September 22, 2014. By that date, such agreements must comply with current privacy, security, and breach laws or HHS will consider such contracts non-compliant.

In addition, the business associates engaged on behalf of providers, plans, and clearinghouses must review and update their downstream agreements with any subcontractors that handle protected health information to ensure that the requirements of the main agreement apply to the subcontractors.