Skip to main content

OCR Releases Sample Business Associate Agreement Provisions

 Written By Kimberly Gold



The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements.  In addition to previously required provisions, business associate agreements must now include provisions that require business associates to:

  • ♣ comply with the HIPAA Security Rule requirements;
  • ♣ report any security breach to the covered entity;
  • ♣ enter into a business associate agreement with any subcontractor that receives the covered entity’s protected health information (“PHI”); and
  • ♣ comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI.

As we noted in our HIPAA Omnibus reference chart, the HIPAA Omnibus Rule expanded the definition of “business associate” to include subcontractors.  This change means that covered entities must obtain satisfactory assurances in the form of business associate agreements from their business associates, and that business associates must do the same with regard to subcontractors who receive PHI.  OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor.

The template provisions are a helpful starting point, but additional revisions are advisable.  For example, detail regarding notification and mitigation in the event of breach should be added.  Indemnification has also become a common business associate provision in light of HITECH’s increased monetary penalties.

Covered entities and business associates have until September 22, 2014 to make any necessary changes to business associate agreements.  Any existing agreement modified after the September 23, 2013 Omnibus Rule effective date must include any previously omitted provisions.

For further information on the impact of the HIPAA Omnibus Rule, please register for our January 30 webinar, The New HIPAA Omnibus Rule & Your Liability.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.