HIPAA Omnibus Rule Changes: Six Months to Comply with Business Associate Agreements

The final revisions to the HIPAA Act, published in January 2013 in the Federal Register, were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH). The final HIPAA Act revisions became effective on March 26, 2013 with extensive changes that have a major impact for all covered firms and their Business Associate Agreements (BAA).

The rather broad term of business associates was expanded to include the following categories:

  • Health Information entities

  • Third-party health record vendors

  • Organizations involved with health and health care information

  • Firms involved in the transmission, maintenance and routine accessibility of Protected Health Information PHI data

  • Electronic prescribing gateways used by pharmacies and physicians

  • Business associate subcontractors

  • The direct compliance liability under the Rules for Business Associates involving certain HIPAA Privacy and Security Rule requirements

New Guidelines Regarding Subcontractors

A timeline for compliance by covered entities of the provisions set forth in the new Rules was September 23, 2013. It includes the following:

One new requirement requires that all business associates must enter into agreements, known as BAA's, with all of their subcontractors who may create, receive, and/or transmit PHI for their organizations. BAA’s must be updated to include the PHI requirements and new obligations imposed by the final rule so that they fully understand the new changes.

The changes affect a number of areas including policies and procedures, security standards, physical safeguards, technical safeguards, PHI disclosures, administrative safeguards and all organizational requirements. On September 25, 2013, all PHI disclosures become subject to the new restrictions on the sale of PHI.

Final Deadline

The changes call for all covered entities to bring all of their Business Associate Agreements (“BAAs”) and their covered subcontractors into compliance with the new Rules is by September 22, 2014.

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".