The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.
Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.
Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.
Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA. This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.
Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate. If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about.
If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately