The final regulations under the HITECH Act, which amend HIPAA, make several changes, including modifying the requirements for business associate agreements (BAAs). The HITECH Final Rule, also known as the Omnibus Rule, recognized that renegotiating and amending existing BAAs for HITECH compliance could become a burdensome task if implementation was immediately required on the date the Final Rule became effective, or September 23, 2013. Therefore, the Final Rule included a one-year transition period for entities that had existing BAAs in effect as of January 25, 2013. That one-year transition period, which began on September 23, 2013, is set to expire on September 22, 2014.
Specifically, the period of transition gives covered entities and business associates with BAAs in place prior to January 25, 2013 a period of time until September 22, 2014 to amend their BAAs to comply with the HITECH requirements. This transition period also extends to business associates and sub-business associates. However, there is one caveat to this extension. The extension is only available if the existing BAA was not renewed or amended between March 26, 2013 and September 23, 2013. If a BAA was renewed or amended during that time period, HITECH required the new BAA regulations to be added at that time.
Notably, this transition rule does not extend the time period for compliance with the underlying HITECH requirements; rather, it is a limited extension for renegotiating and amending BAAs. In other words, this extension was specifically geared toward alleviating the potential burden or workflow disruption entities faced with negotiating and executing the provisions contained within the four corners of a BAA. This extension did not exempt a covered entity or business associate from complying with HIPAA/HITECH regulations, as the government continues to hold companies to the minimum compliance standards of HIPAA/HITECH, regardless of the language contained in a BAA.
If you or your company fall within the BAA transition period, it is important that you review, negotiate/discuss, and amend the applicable BAA by September 22, 2014. The necessary amendments pursuant to the Final Rule may include, but are not limited to, breach notification provisions, extension of Security Rule and certain Privacy Rule requirements to business associates, and amendments to how a patient can access his/her PHI. More information, including a sample BAA can be found on the U.S. Department of Health and Human Services’ website.