/>iBradley has launched a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, beginning last week with an overview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. In this weekly series, we will continue to explore the key changes and their implications and provide insights and takeaways for covered entities and their business associates under HIPAA.
What’s New for BAs and BAAs?
This week’s installment is on the proposed changes specifically affecting business associates (BAs) and business associate agreements (BAAs) and responsibilities for covered entities related to business associates who serve as the HIPAA Security Official.
Revisions to BAAs
The NPRM requires regulated entities to include within their BAAs the following new provisions:
- Notification to the covered entity (and downstream BAs to the business associate) within 24 hours of activating its contingency plan;
- Written verification that the BA (and the downstream BA to the business associate) has deployed technical safeguards as required by HIPAA; and
- Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA.
In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or prospective BA based on this written verification.
The revisions will require updates to BAAs both in effect now and any new BAAs entered after the Final Rule is published. Similar to the HITECH rule implementation in 2013, these required revisions will have an on ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM state that BAAs will be deemed in compliance if the following circumstances exists: (1) if the BAA contains the required provisions applicable at the time the Final Rule is published, and (2) the BAA is not renewed or modified within 60 to 240 days after the Final Rule is published. However, all BAAs must be in compliance within a year plus 60 days after the Final Rule is published.
These revisions may create a significant administrative load for regulated entities small and large. In preparation for the Final Rule publication, regulated entities should review their current BAAs to confirm these agreements are up to date with current requirements in effect at the time of execution to take advantage of the on ramp for compliance. Even under current law, regulated entities also may benefit from updating their vendor management programs to request written verification of technical safeguards based on the level of risk associated with their business associate’s handling of PHI.
Covered Entity Delegation of Security Officials
The NPRM also confirms the possibility for a covered entity to appoint a business associate as the Security Officer. Importantly, the HHS clarifies its view that the covered entity still remains liable for ultimate compliance with the Security Rule even if the service is contracted to a business associate.
The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.
In our upcoming posts in this series, we will delve into changes to the HIPAA Security Rule affecting group health plans and current thinking related to AI technologies.
Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
