The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.

Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.

Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA.   This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.


Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate.  If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about. 

If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately