Advertisement

July 22, 2014

OCR Releases Sample Business Associate Agreement Provisions

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements.  In addition to previously required provisions, business associate agreements must now include provisions that require business associates to:

  • comply with the HIPAA Security Rule requirements;
  • report any security breach to the covered entity;
  • enter into a business associate agreement with any subcontractor that receives the covered entity’s protected health information (“PHI”); and
  • comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI.

As we noted in our HIPAA Omnibus reference chart, the HIPAA Omnibus Rule expanded the definition of “business associate” to include subcontractors.  This change means that covered entities must obtain satisfactory assurances in the form of business associate agreements from their business associates, and that business associates must do the same with regard to subcontractors who receive PHI.  OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor.

The template provisions are a helpful starting point, but additional revisions are advisable.  For example, detail regarding notification and mitigation in the event of breach should be added.  Indemnification has also become a common business associate provision in light of HITECH’s increased monetary penalties.

Covered entities and business associates have until September 22, 2014 to make any necessary changes to business associate agreements.  Any existing agreement modified after the September 23, 2013 Omnibus Rule effective date must include any previously omitted provisions.

For further information on the impact of the HIPAA Omnibus Rule, please register for our January 30 webinar, The New HIPAA Omnibus Rule & Your Liability.

©1994-2014 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Kimberly J. Gold, Health Care Attorney, Mintz Levin Law Firm
Associate

Kimberly's practice focuses on regulatory and transactional matters, including compliance, privacy and security, mergers and acquisitions, financings, licensing, and reimbursement.

Kimberly has extensive experience in the areas of privacy and security of patient information under HIPAA and state laws. She has prepared compliance programs, privacy policies, business associate agreements, and counseled clients on breach notification requirements. She also represents clients in the health information technology area and has counseled mobile app companies on privacy and FDA...

212-692-6706

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.