HIPAA Business Associate Agreements: Deadline Approaching

by Kim C. Stanger, Holland & Hart LLP

If they have not already done so, the deadline for covered entities and business associates to update their HIPAA business associate agreements to comply with Omnibus Rule requirements is September 22, 2014.

BAA Requirements. HIPAA requires that covered entities and business associates execute contracts (called “business associate agreements” or “BAAs”) which require that business associates comply with certain portions of the HIPAA Privacy, Security and Breach Notification Rules. (45 CFR 164.314(a)), 164.502(e), and 164.504(e)). The HIPAA Omnibus Rule changed BAA requirements. Under the Omnibus Rule, covered entities and business associates must modify their BAAs to require business associates to:

  • comply with the HIPAA Security Rule;
  • execute BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate;
  • report security incidents, including breaches of unsecured health information; and
  • comply with the Privacy Rule requirements applicable to covered entities if and to the extent the business associate is to carry out a covered entity’s obligations under the Privacy Rule.

(45 CFR 164.314(a) and 164.502(e)). For a checklist of all required BAA terms, click here. The Office for Civil Rights (“OCR”) has also published sample BAA provisions, although the OCR sample may not include additional terms that covered entities or business associates may want to include in their BAAs.

Deadline. Covered entities and business associates were generally required to comply with Omnibus Rule requirements by September 23, 2013; however, the Omnibus Rule extended the deadline for BAA compliance to September 22, 2014 if (i) existing BAAs complied with HIPAA requirements as they existed as of January 25, 2013, and (ii) the BAA was not otherwise renewed or modified between March 26, 2013 and September 22, 2014. (45 CFR 164.532(e)). Thus, all BAAs must comply with the Omnibus Rule requirements by September 22, 2014.


For more information, contact:
Kim Stanger
Holland & Hart LLP
Email: kcstanger@hollandhart.com
Phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.