Most covered entities (e.g., health plans and health care providers) are aware that they are obligated under HIPAA to have business associate agreements (“BAAs”) in place with their business associates who use or disclose protected health information (“PHI”) in carrying out their obligations to the covered entity (e.g., third-party administrators, claim processors, etc.). However, covered entities might not be aware that the Department of Health & Human Services (the “HHS”) recently issued the HIPAA Omnibus Rule, which alters the BAA content requirements (and makes other significant changes to HIPAA, which we will discuss in a separate blog entry).
While the new requirements are not a significant departure from the old BAA content requirements, covered entities must review and update their existing BAAs to ensure compliance with the new HIPAA Omnibus Rule. Required changes include:
- Updating the BAA to state that if the business associate is to carry out the covered entity’s obligations under the Privacy Rule (e.g., the provision of Notices of Privacy Practices), the business associate must comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligations; and
- Adding a provision stating that the business associate is directly subject to the Security Rule.
Even more significant is the new requirement that a business associate must enter into a BAA with subcontractors to whom the business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity, and such function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI. For example, if a business associate serving as a third party administrator for a covered entity hires a company to handle document and media shredding to securely dispose of paper and electronic PHI, then the shredding company would be considered a subcontractor, and the parties would have to enter into a written BAA to govern the subcontractor’s HIPAA responsibilities. Previously, business associates were contractually required through the terms of their BAAs with covered entities to ensure that their subcontractors agreed to the same restrictions that applied to the business associates with respect to PHI. However, written BAAs were not specifically required under HIPAA. Now, HIPAA’s written BAA requirements directly apply to business associates and their subcontractors. And, to the extent a subcontractor discloses PHI to one of its subcontractors, the written BAA requirements would apply there as well (and so on down the line).
Some business associates and subcontractors might be ahead of the curve and already have BAAs in place with their subcontractors. However, we expect that the majority do not. Accordingly, most business associates and subcontractors will need to take the following steps:
- Business associates and subcontractors must first evaluate their business relationships to determine where BAAs are required (i.e., evaluate which subcontractors create, receive, maintain, or transmit PHI or electronic PHI).
- Where a BAA is required, business associates and subcontractors must prepare and negotiate the terms of the BAAs.
- As part of the BAA preparation and negotiation process, business associates and subcontractors need to make certain that they fully understand their responsibilities under HIPAA and the BAAs, and they must ensure that they actually have the systems and procedures in place to comply with these responsibilities.
- After the parties have completed the previous steps, they must execute the BAA.
The good news is that covered entities, business associates, and subcontractors still have time to comply. The HIPAA Omnibus Rule became effective on March 26, 2013, but the new BAA requirements are generally not effective until September 23, 2013. This means that parties that do not currently have a BAA in place have until September 23, 2013 to execute a BAA that complies with these new requirements. Parties that had a BAA in place on January 25, 2013 that complied with the pre-HIPAA Omnibus Rule BAA requirements have additional time to update their BAAs. While these parties must comply with the substance of these new rules as of September 23, 2013, because they had a compliant BAA in place on January 25, 2013, these parties can wait until the earlier of the following to update their existing BAAs:
- The date the BAA is renewed or modified on or after September 23, 2013 or
- September 22, 2014.
The other piece of good news is that the HHS issued a model BAA that addresses these new legal requirements. While this model BAA is a decent start, it does not contain certain “best practices” provisions that we would typically recommend. For example, we generally recommend that BAAs include specific provisions outlining the parties’ responsibilities in the case of a breach of unsecured PHI (e.g., timing of notice, content of notice, who is responsible for informing affected individuals, steps the parties must take to mitigate harmful effects, etc.). The HHS does not address these types of important issues in its model BAA. Additionally, the model BAA contemplates a covered entity and a business associate as the relevant parties. Accordingly, for business associates who need BAAs for their subcontractors, the model BAA would need to be modified significantly to reflect the relationship between the parties. So, while the model BAA may be a good starting point, we recommend revising this model BAA so that the agreement complies with all relevant legal requirements, accurately reflects the relationship between the parties, and adequately protects your interests.