Are Compliant BAAs the Same as Compliant BAs?

July 22, 2013

Asking if your BAAs are compliant seems to assume that business associates are compliant if they signed a proper BAA. Reality and experience disprove that assumption. Our partner Rebecca Herold, www.theprivacyprofessor.com , has done over 200 risk assessments fo business associates (BA) and when I asked her how many were full compliant she said “a handful of mostly large organizations, with another 30% partially compliant”. This leaves a large percentage that are totally non-compliant despite having a filing cabinet full of signed BAAs. With no follow up or enforcement by the CEs the BAs mostly ignore the requirements under HIPAA let alone under the Omnibus Rules. As many healthcare law firms have stated just getting a proper BAA in place should just be the first step. Next the BAs must be monitored and required to provide proof that they are compliant. BA Tracker provides a cost effective, efficient tool for helping the CE keep track of their BAs and to let the BAs have a tool for proving their compliance. Take a look at www.compliancehelper.com/batracker

Here is the complete article:

Two months until the Omnibus Final Rule deadline: are your business associate agreements compliant? McGuireWoods LLP, Kimberly J. Kannensohn, Nathan A. Kottkamp and Holly Carnell

On Jan. 17, 2013, the U.S. Department of Health and Human Services (HHS) released the Omnibus Final Rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule makes significant changes to the privacy and security obligations of covered entities and their business associates with respect to patients’ protected health information (PHI). Covered entities and business associates are required to come into full compliance with the Final Rule by Sept. 23, 2013.

One of the more burdensome compliance tasks necessitated by the Final Rule is ensuring that all business associate agreements (BAAs) meet the updated requirements. In general, providers must enter into new BAAs or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) meet the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, do not have to be updated until Sept. 23, 2014. To the extent that an entity anticipates relying on this grandfathering exception, we recommend ensuring that existing agreements are compliant with the old rules. Otherwise, the exception will not apply.

Entities will also need to evaluate whether the new definition of “business associate” creates additional business associate relationships. The Final Rule contains a number of modifications and clarifications that are significant for defining who qualifies as a business associate of a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; and (ii) expands the definition of business associate to include subcontractors of business associates. Accordingly, covered entities and business associates should ensure that they have entered into a compliant BAA with any cloud storage provider to which they have entrusted patient data. All downstream vendors with access to PHI must sign a compliant BAA, no matter how many vendors are interposed between the covered entity and the downstream vendor.

The following are recommended next steps for updating BAAs:

Update the entity’s form BAA to ensure compliance with the Final Rule. This may also be a good opportunity to consider whether the protections and restrictions in the form agreement go far enough in protecting patients and the entity. For additional considerations for providers, see the article, “Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough.”

Conduct an inventory of all current BAAs (including BAAs in which the entity is the covered entity and BAAs in which the entity is a business associate or subcontractor). Each of these BAAs will need to be modified by an amendment or replaced with a revised BAA.

Providers and their business associates should review all business relationships to ensure that a BAA is in place where one is required under HIPAA. Providers and business associates may have relationships that did not previously require a BAA, but do now under the Final Rule’s expansion of the definition of “business associate.”


Back to News