Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
After meeting the Sept. 22, 2014 deadline for updating business associate agreements, keep track of their effective/renewal dates
The transition period for adopting updated
business associate agreements under the Health Insurance Portability and Accountability Act (HIPAA) ends on Sept. 22, 2014.
Last year, the Department of Health and Human Services (HHS) gave a one-year reprieve to covered entities with contracts already in place on Jan. 25, 2013, as part of the
Omnibus HIPAA Rule that finalized certain regulatory changes made under the Health Information Technology for Economic and Clinical Health Act (HITECH). Under the relief provision, covered entities (and business associates with subcontractors) were not required to secure new business associate agreements for pre-existing contracts that were not renewed or modified between March 26, 2013 and Sept. 23, 2013. Those grandfathered agreements enjoyed deemed compliance, assuming their terms otherwise were HIPAA-compliant, until either (1) the contract renewal or modification date, or (2) Sept. 22, 2014, whichever came first.
For grandfathered contracts, in other words, the HHS deadline for adopting new business associate agreements was essentially extended to Sept. 22, 2014.
With more significant penalties flowing from HIPAA violations, properly identifying business associates for purposes of securing new agreements has become paramount.
HHS guidance generally defines a business associate as a person or organization who performs certain services for covered entities and other business associates that involve the use or disclosure of protected health information (PHI). Those services include claims processing, data analysis, quality assurance, billing, consulting, actuarial and other plan-related administrative services to the extent they involve disclosing PHI.
The business associate definition also arguably extends to PHI-related offsite and cloud storage providers, document shredding and other similar servicers.
Keep in mind that HIPAA liability attaches immediately when the business associate receives, creates, maintains or transmits PHI on behalf of the covered entity (or other business associate). A failure to enter into a business associate agreement before that initial PHI will not negate the existence of a business associate.
If any agreements have not been updated, those contracts should be reviewed immediately to determine the legal sufficiency of the existing provisions.
Agreements that have not been updated since 2010 likely will require complete restatements that clearly reflect the new rules applicable to business associates under HITECH, especially the breach notification requirement.
There is no one-size-fits-all business associate agreement. Although HHS provides a sample business associate agreement, the HHS guidance encourages parties to develop and negotiate their own agreements, consistent with the regulatory content requirements. Most agreements will have similar language concerning:
• Permitted uses and disclosures.
• Administrative, physical and technical safeguards.
• Termination requirements.
Business associate agreements, however, will differ with respect to delegation as it is critical that agreements specify whether the covered entity will delegate breach notification obligations. Remember also that certain other provisions may be appropriate for contracts between business associates and subcontractors.
After executing updated business associate agreements for grandfathered arrangements, it would be wise to develop a practice of maintaining a log or spreadsheet that tracks the effective/renewal dates of those agreements and the underlying service agreements.
In addition, before moving on from HIPAA to other welfare plan projects, time should be devoted to confirming whether the HIPAA Privacy and Security Policies and Procedures manuals have been updated. HIPAA training materials also should be reviewed along with the Privacy Notice to close out the plan’s HIPAA document review.
Christina M. Crockett is an employee benefits attorney in the Washington, D.C., metropolitan area. She assists employers and other plan sponsors with compliance concerns related to developing, implementing and administering employer-sponsored benefit programs.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies