Transitional Compliance Period for Business Associate Agreements Expiring September 23, 2014

19 September 2014 Health Care Law Today Blog

If they have not already done so, covered entities and business associates have until September 23, 2014, to update their business associate agreements to comply with the January 2013 changes to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). 

As we reported last year, the January 2013 omnibus final rule (the “Rule”) extended the reach of HIPAA to a broad range of entities that were not previously covered, by expanding the definition of “business associate” to include downstream subcontractors and certain other entities. Among other things, the Rule also expanded the required elements of business associate agreements to include provisions requiring that business associates: 

  1. Comply, where applicable, with the Security Rule with regard to electronic protected health information;
  2. Report breaches of unsecured protected health information to covered entities; and
  3. Ensure that any subcontractors that create or receive protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate.

Business associates became directly liable for violations of such provisions, with maximum civil fines of up to $1.5 million per year. View our earlier posting about the Rule and its requirements.

In adopting the Rule, the Department of Health and Human Services (“DHHS”) proposed transition provisions to allow covered entities and their business associates to continue to operate – including by disclosing protected health information and creating or receiving protected health information on behalf of the covered entity consistent with HIPAA – under certain existing contracts for up to one year beyond the initial compliance date under the Rule. The transition provisions were available where the parties had an existing written contract or other written arrangement that complied with HIPAA and its implementing regulations in effect prior to January 25, 2013, so long as the contract or arrangement was not otherwise renewed or modified between March 26, 2013 and September 23, 2013. With respect to business associates and their subcontractors, the Rule grandfathered existing written agreements that complied with the applicable provisions of HIPAA in effect prior to the Rule, including 45 CFR 164.504(e)(2)(ii)(D) (which provision required the business associate to ensure that its agents with access to protected health information agree to the same restrictions and conditions that apply to the business associate).

DHHS agreed to deem such pre-existing contracts compliant with the Rule until either the covered entity or business associate, as applicable, renewed or modified the contract or September 22, 2014, whichever is earlier. Contracts with an automatic or “evergreen” renewal provision would also continue to be deemed compliant, regardless of any automatic renewal during the transition period. The transition provisions only applied to the requirement to amend contracts. They did not affect any other compliance obligations under HIPAA. That is, a business associate is not allowed to use or disclose protected health information in a manner that is contrary to HIPAA, even if its agreement with a covered entity has not yet been amended.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services