Updates to HIPAA
HIPAA Compliance: Business Associate Agreements (BAA)
As a reminder in January 2013 the HIPAA Omnibus Rule was released and the rule contained new requirements for all of your Business Associate Agreements (BAA), and had a compliance date of September 23, 2013. However, the Omnibus rule did allow for a one year grandfathering period for amending or updating any BAAs which were in effect prior to January 25, 2013.
This one year grandfathering/grace period is coming to a close. If a BAA was in effect prior to the release of the Omnibus rule, you have until September 23, 2014 to make any required revisions in order to remain compliant with HIPAA.
In order to stay complaint with the Omnibus requirements and the September 23, 2014 deadline, below are some key items that you will want to include in your BAAs. Keep in mind that these are just the minimum amount of revised requirements you may want to address within your amended or new BAAs; you will want to create amendments or new agreements that are specific to your needs:
- Include a section that allows you to verify that the BA is in compliance with the HIPAA security and privacy regulations.
- Ensure that the BA will report all breaches to you in a timely manner, and that these notifications are done in a standard format. You may want them to provide you with the contact information for those affected; a detailed account of the breach, including what was breached; and any steps they are taking to ensure the breach doesn’t occur again. Think of any information that you may require when you have to report the breach.
- If a BA uses any subcontractors be sure to ensure that the subcontractor agrees to the same restrictions and conditions you apply to the BA.
- BA must comply, where appropriate, with the Security with regard to electronic PHI
- To the extent the BA is to carry out the covered entity’s obligation under the Privacy Rule, the BA must comply with the same requirements of the Privacy Rule that apply to the covered entity in the performance of said obligations
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. HIPAA required the Secretary of HHS to issue privacy regulations for individually identifiable health information, if Congress did not enact such legislation within three years of the passage of HIPAA. Congress did not enact the aforementioned privacy legislation and HHS, through notice and comment rulemaking, implemented the Privacy Rule on December 28, 2000; with a modification in 2002.
On Feb. 17, 2009, the American Recovery and Reinvestment Act (ARRA), also known as the stimulus bill was signed into law; and contained a provision that mandated the Secretary of HHS to make updates to HIPAA. These updates are in Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act. HHS released its regulations affecting both the privacy and security portions of HIPAA on Aug. 23, 2009, which then became effective on September 23; however, HHS will not begin active enforcement of these new regulations until Feb. 22, 2010. This extra time is to allow you to become compliant with the new regulations.
On January 25, 2013 the Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA); Other Modifications to the HIPAA Rules; or more commonly referred to as HIPAA Omnibus Rule was released; with the intention of implementing new privacy, security and enforcement provisions to provide greater protection to a patient’s privacy and strengthen the ability of the government to enforce HIPAA; with an effective date of March 26, 2013 and mandatory compliance dates of September 23, 2013 and September 23, 2014.
For more information regarding HIPAA, the HITECH Act and the final Omnibus Rule please see the following references: