Co-authored by Christopher K. Buch.
On January 25, the Department of Health and Human Services (HHS) published its highly anticipated Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule (Final Rule). The Final Rule covers many topics, including the extension of some of HIPAA’s privacy and security compliance obligations to “business associates” or organizations that do business with HIPAA-covered entities.
HHS provided suggested language that could be used to comply with the Final Rule for use in contracts between business associates and covered entities (business associate agreements). The deadline for reflecting the provisions of the Final Rule in business associate agreements is September 23, 2013 (though currently existing business associate agreements have until September 22, 2014 to be updated).
The Final Rule notes that the updated language provided by HHS is sample language only and does not have to be used in the exact form provided by HHS. HHS’s sample language also includes alternative provisions that may be used in business associate agreements, so it is important for business associates and covered entities to review their agreements to ensure that the proper alternatives are chosen.
A link to the sample business associate agreement provisions may be found here.
The Final Rule can be found here.