August 28, 2015

August 27, 2015

August 26, 2015

August 25, 2015

OCR Releases Sample Business Associate Agreement Provisions

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements.  In addition to previously required provisions, business associate agreements must now include provisions that require business associates to:

  • comply with the HIPAA Security Rule requirements;
  • report any security breach to the covered entity;
  • enter into a business associate agreement with any subcontractor that receives the covered entity’s protected health information (“PHI”); and
  • comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI.

As we noted in our HIPAA Omnibus reference chart, the HIPAA Omnibus Rule expanded the definition of “business associate” to include subcontractors.  This change means that covered entities must obtain satisfactory assurances in the form of business associate agreements from their business associates, and that business associates must do the same with regard to subcontractors who receive PHI.  OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor.

The template provisions are a helpful starting point, but additional revisions are advisable.  For example, detail regarding notification and mitigation in the event of breach should be added.  Indemnification has also become a common business associate provision in light of HITECH’s increased monetary penalties.

Covered entities and business associates have until September 22, 2014 to make any necessary changes to business associate agreements.  Any existing agreement modified after the September 23, 2013 Omnibus Rule effective date must include any previously omitted provisions.

For further information on the impact of the HIPAA Omnibus Rule, please register for our January 30 webinar, The New HIPAA Omnibus Rule & Your Liability.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...

202-434-7324