The Department of Health and Human Services (HHS) has set a compliance deadline of September 23, 2013, for HIPAA-covered entities to meet essentially all aspects of the new HIPAA rules that were recently updated to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act. Among the many necessary tasks are making changes to policies, privacy notices, training, and a covered entity’s practices such as implementation of individual privacy rights, breach reporting, security measures and business associate contracting. You can read more about these changes, increased enforcement and breach reporting in our past articles on HIPAA under Related Publications to the right.
One of the highest priority items is updating business associate agreements (BAAs), because the distribution, negotiation and execution process can be time-consuming. Note that BAAs in place prior to January 25, 2013, may be updated either on the next modification or renewal, or prior to September 22, 2014, whichever is earlier. BAAs entered into after January 25 and going forward must be updated by September 23, 2013.
We recognize that the covered entity population needs affordable tools to assist them in their compliance efforts. For that reason, we have created a BAA template that will help covered entities meet these compliance obligations. Unlike other BAA templates available, this version includes a number of provisions that are not strictly required by the final rules but which we recommend in order to more strongly protect covered entities in light of the increased risk posed by business associates. For example, unless contracted otherwise, covered entities can be responsible for business associate noncompliance and are left to mitigate, report and pay for business associate-caused security breaches. This BAA template tips the balance back toward the favor of the covered entity in terms of risk, cost and liability protection. It includes features to both address the new HITECH requirements and mitigate the risk of business associate-caused security breaches and noncompliance.
With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.