HIPAA Grace Period Ends as Audits Begin for Business Associates

See updated information on OCR Plans to Conduct Round 2 Audits (below).

deadline 1200x627When we were kids it seemed like Christmas was always so far away. The older we get, the faster time seems to fly by. For many organizations that were granted a one year grace period for compliance with the Omnibus HIPAA Final Rule regarding Business Associate Agreements (BAAs), the last year may have gone by much faster than you expected.

Effective September 23, 2013, all BAAs were required to comply with new requirements of the Final Rule. However, a one-year grace period was granted for:

  • BAAs that were in place prior to the January 25, 2013 publication date,
  • compliant with prior HIPAA provisions, and
  • were not renewed or modified between the March 26, 2013 effective date and the September 23, 2013 compliance deadline.

This grace period (applicable only to the requirement to amend contracts) is set to expire on September 22, 2014.

In effect, the much publicized September 2013 compliance deadline of the Omnibus Final Rule only applied to agreements created after January 25, 2013 or renewed/modified between April 26 and September 23, 2013. Therefore, many agreements made prior to January 2013 have not yet been required to comply. The September 22, 2014 deadline may actually apply to many more organizations than the Rule’s stated 2013 deadline.

If your organization has been operating under a BAA that was grandfathered in under this provision, your final deadline is now just a few weeks away. Here’s what you need to know…

Who is a Business Associate?

According to HIPAA Regulations, a Business Associate (BA) is defined as:

A person, partnership, corporation, professional association, or other entity who creates, receives, or transmits PHI on behalf of a Covered Entity (CE) or who provides services to or for the CE involving the disclosure of PHI.

This revised definition of a BA from the Final Rule includes:

  • Health Information Organizations,
  • e-Prescribing Gateways,
  • PHR vendors providing services on behalf of a CE,
  • Any entity who provides data transmission services to a CE involving PHI and has access to PHI, and
  • Subcontractors who create, receive, maintain, or transmit PHI on behalf of a BA.

Offered in the Resources section of Loricca.com, you can access a helpful checklist for determining who is a Business Associate.

What is Required of a Business Associate?

Ultimately, under the Final Rule, a BA must comply with specific provisions of the Privacy Rule and Security Rule requirements the same as a CE. The CE is responsible for requiring any BA that it works with to comply with Privacy Rule obligations related to any functions performed on behalf of the CE.

BAs are now directly liable for HIPAA Rule violations. As the Health and Human Services (HHS) Office of Civil Rights (OCR) prepares to begin a second round of HIPAA audits this fall, BAs as well as CEs will be selected for audits and will be responsible for their compliance with the provisions of the Final Rule. OCR officials have stated that BAs are liable whether or not there is a BAA in place. Additionally, CEs are to be held responsible for violations by BAs and BAs are, in turn, to be held responsible for violations by subcontractors.

What Should be Included in a Business Associate Agreement?

Specific provisions that would be included in any BAA will be dictated by the function of the BA relative to the CE as well as the contractual obligations established for the relationship. However, to be compliant with HITECH provisions, every BAA is also required to specify that the BA (or subcontractor) must:

  • Comply with the HIPAA Security Rule.
  • Report to the CE any breach of unsecured PHI.
  • Enter into BAAs with subcontractors imposing the same obligations that apply to the BA.
  • Comply with the HIPAA Privacy Rule to the extent that the BA is carrying out a CE’s Privacy Rule obligations.

With the full implementation and the end of the grace period prescribed by the Omnibus HIPAA Final Rule, expectations of BAs are essentially the same as those of CEs. With OCR set to resume audits in the coming months, the scrutiny and potential penalties handed down by OCR will also be shared by BAs.

Contact LoriccaIf your organization has been operating as a CE or as a BA (or subcontractor) and you have compliance questions or IT security needs, please contact us right away.

UPDATE: Round 2 Audits On Hold
September 9, 2014

HHS/OCR officials have announced that plans to begin a new round of HIPAA audits is on hold until technology updates can be completed that will better facilitate the exchange of information between companies and OCR.

“We’re updating technology that we’ll use to get documents from the companies we are auditing,” she says. “The IT project was pushed back. We’re holding off starting [audits] while waiting for the technology.” Linda Sanches, OCR Senior Advisor via Healthcare Info Security

OCR has also indicated that there will be fewer remote audits and more will be done on-site than originally planned.

Ms. Sanches also said that OCR will focus more on companies’ periodic risk analysis for evidence of ongoing, regular efforts being made by the organization to address new and evolving risks.

Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!