Deadline for HIPAA Business Associate Agreements

After meeting the Sept. 22, 2014 deadline for updating business associate agreements, keep track of their effective/renewal dates

By Christina M. Crockett Sep 10, 2014

The transition period for adopting updated business associate agreements under the Health Insurance Portability and Accountability Act (HIPAA) ends on Sept. 22, 2014.

Last year, the Department of Health and Human Services (HHS) gave a one-year reprieve to covered entities with contracts already in place on Jan. 25, 2013, as part of the Omnibus HIPAA Rule that finalized certain regulatory changes made under the Health Information Technology for Economic and Clinical Health Act (HITECH). Under the relief provision, covered entities (and business associates with subcontractors) were not required to secure new business associate agreements for pre-existing contracts that were not renewed or modified between March 26, 2013 and Sept. 23, 2013. Those grandfathered agreements enjoyed deemed compliance, assuming their terms otherwise were HIPAA-compliant, until either (1) the contract renewal or modification date, or (2) Sept. 22, 2014, whichever came first.

For grandfathered contracts, in other words, the HHS deadline for adopting new business associate agreements was essentially extended to Sept. 22, 2014.

Identifying Business Associates

With more significant penalties flowing from HIPAA violations, properly identifying business associates for purposes of securing new agreements has become paramount.

HHS guidance generally defines a business associate as a person or organization who performs certain services for covered entities and other business associates that involve the use or disclosure of protected health information (PHI). Those services include claims processing, data analysis, quality assurance, billing, consulting, actuarial and other plan-related administrative services to the extent they involve disclosing PHI.

The business associate definition also arguably extends to PHI-related offsite and cloud storage providers, document shredding and other similar servicers.

Keep in mind that HIPAA liability attaches immediately when the business associate receives, creates, maintains or transmits PHI on behalf of the covered entity (or other business associate). A failure to enter into a business associate agreement before that initial PHI will not negate the existence of a business associate.

Drafting Business Associate Agreements

If any agreements have not been updated, those contracts should be reviewed immediately to determine the legal sufficiency of the existing provisions.

Agreements that have not been updated since 2010 likely will require complete restatements that clearly reflect the new rules applicable to business associates under HITECH, especially the breach notification requirement.

There is no one-size-fits-all business associate agreement. Although HHS provides a sample business associate agreement, the HHS guidance encourages parties to develop and negotiate their own agreements, consistent with the regulatory content requirements. Most agreements will have similar language concerning:

Permitted uses and disclosures.

Administrative, physical and technical safeguards.

Termination requirements.

Business associate agreements, however, will differ with respect to delegation as it is critical that agreements specify whether the covered entity will delegate breach notification obligations. Remember also that certain other provisions may be appropriate for contracts between business associates and subcontractors.

Year-End HIPAA Housecleaning

After executing updated business associate agreements for grandfathered arrangements, it would be wise to develop a practice of maintaining a log or spreadsheet that tracks the effective/renewal dates of those agreements and the underlying service agreements.

In addition, before moving on from HIPAA to other welfare plan projects, time should be devoted to confirming whether the HIPAA Privacy and Security Policies and Procedures manuals have been updated. HIPAA training materials also should be reviewed along with the Privacy Notice to close out the plan’s HIPAA document review.

​Christina M. Crockett is an employee benefits attorney in the Washington, D.C., metropolitan area. She assists employers and other plan sponsors with compliance concerns related to developing, implementing and administering employer-sponsored benefit programs.

Job Finder

Find an HR Job Near You
Post a Job


Join us for the largest and best HR conference in the world, June 23-26, 2019 in Las Vegas.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect