April 17, 2014

HIPAA Final Omnibus Rule & Business Associate Agreements

This week, Barnes & Thornburg’s Health Law Blog is examining the impact of the recently released Health Insurance Portability and Accountability Act Omnibus final rule (HIPAA Final Rule) on business associates. The HIPAA Final Rule has retooled the definition and responsibilities of business associates. The Department of Health and Human Services (HHS) has made sweeping changes to: who is considered a business associate; the obligations of business associates and subcontractors; and potential business associate and subcontractor liability. This blog entry specifically examines the impact of HIPAA Final Rule on business associate agreements (BAAs).

In order to comply with the HIPAA Final Rule, BAAs between covered entities and business associates will require modification.  A BAA must now: (1) establish the permitted and required uses and disclosure of protected health information (PHI) by the business associate; (2) require the business associate to report any breaches of unsecured PHI to the covered entity; (3) ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate; and (4) require the business associate to comply with any and all other HIPAA rules and regulations with which the covered entity would have to comply to the extent that the business associate performs related obligations.  Specifically, the business associate will need to agree that it has technical, physical and administrative safeguards in place, and that it meets certain security standards.  Essentially, business associates will need to take administrative actions and physical measures to protect PHI, which will also involve having appropriate policies and procedures in place. Business associates, like covered entities, will now be directly accountable for following many provisions of HIPAA. Due to increased HIPAA enforcement and the expansion of liability to business associates and subcontractors, covered entities and business associates should consider the role of indemnification provisions.HIPAA Badge

The new HIPAA Final Rule also expands compliance and potential liability to subcontractors.  Therefore, business associates should examine their subcontractor relationships to ensure compliance with the HIPAA Final Rule, and specifically to consider whether a BAA is necessary.

HHS has provided a transition period for existing BAAs, if prior to Jan. 25, 2013, the BAA complied with HIPAA and the BAA is not renewed or modified between March 26, 2013 and Sept. 23, 2013.  If a BAA meets these requirements, it will be considered compliant until the earlier of: the date the BAA is renewed or modified after Sept. 23, 2013 or Sept. 22, 2014. Due to increased enforcement, covered entities and business associates should review their current BAAs and ensure that they are in compliance with HIPAA immediately prior to Jan. 25, 2013 if they wish to take advantage of this transition period.


About the Author

The Barnes & Thornburg Healthcare Department regularly represents physicians, medical groups, managed care organizations, hospitals, nursing homes, and national healthcare-related associations located around the country. Given our healthcare practice, we understand the unique commercial and regulatory environment in which healthcare organizations operate. Our attorneys bring their problem-solving and consensus-building skills to listen carefully to the goals of their clients and recommend practical solutions.


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.