October 20, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

Reminder: Update Your “Grandfathered” HIPAA Business Associate Agreements Now!

In January 2013, the Department of Health and Human Services (“HHS”) published its Final Rule, which significantly increased the privacy and security responsibilities for the “business associates” of “covered entities,” as those terms are defined by HIPAA. A provision within the Final Rule mandated that all covered entities and their business associates revise their business associate agreements to reflect the new responsibilities. Specifically, a business associate must now, among other things:

  • Report breaches of unsecured protected health information (“PHI”) to the covered entity;

  • Comply with the HIPAA Security Rule;

  • Execute business associate agreements with subcontractors (who are now considered business associates under the Final Rule).

Business associate agreements that were in compliance with the HIPAA Privacy Rule prior to January 25, 2013 were considered “grandfathered” and permitted to remain in place until September 23, 2014 – if they were not updated prior to the September date. This date, however, is almost expired and now all business associate agreements must be updated to include the additional requirements created by the Final Rule. Business associate agreements that were put into place after January 25, 2013 should already comply with the Final Rule.

It is important to note that the Final Rule also expanded the definition of a BA to cover new entities and persons. Now, a BA includes health information organizations, e-prescribing gateways, data transmission entities that routinely access PHI, and vendors of PHI records, in addition to subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the business associate.

© 2019 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.


About this Author

Emily M. Hord, Health Care Attorney, McBrayer Law Firm

Emily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. Ms. Hord has experience in a variety of health law issues. She has represented hospitals and healthcare networks, physicians and other medical professionals, nursing homes, and private physician practices. She provides services in the following areas: regulatory and statutory compliance, Certificate of Need and licensing, professional license defense, employment contracts for medical professionals, HIPAA...