[ Wednesday, September 03, 2014 ]
Business Associate Agreement Deadline Approaching: the Omnibus Rule made a few relatively minor changes to the business associate agreement requirements, and imposed an initial deadline of September 23, 2013 for compliance. However, it did allow a certain "grandfathering" of BAAs that met the then-existing requirements and were already in place; that grandfathering was not limitless, and only allowed covered entities and business associates to keep their existing BAAs in place for an additional year. That year is about to end (NB: there's some confusion about whether September 22 or 23, 2014 is the appropriate date, but I don't think OCR will make that fine a distinction).
Jeff [5:19 PM]
If you are still operating on BAAs from 2003, you definitely need to update them to include what was required under the Security Rule in 2005, as well as what's required by HITECH and Omnibus (2009 and 2013, respectively). Now would be a good time to review your BAAs, particularly if you did not do so in 2013 or 2014.
One word of caution, though. A lot of covered entities are in the last month of pushing through "updated" BAAs, demanding their business associate vendors sign their new forms because they are absolutely required. All well and good, so far. However, many of these covered entites (hospital systems, I'm looking at you) are adding new, non-required provisions such as indemnification, encryption, and off-shoring requirements. In effect, they are trying to renegotiate their underlying agreements, and using the BAA requirement as a Trojan Horse.
My advice to covered entities: don't do that. If you need to update the BAA to meet Omnibus, do what is necessary, and nothing more. If you want to renegotiate the deal, or even if you want to require your BAs to jump through stricter hoops than you required before, that's OK, but be up front about it and don't try to hide behind the Omnibus Rule "required" changes.
My advice to business associates: read closely the new BAA, compare it with the old one, and call out your customers if they try to slide something by you.
Let's all be open and honest out there, OK?
Blogger: HIPAA Blog - Edit your Template