| Written By Kimberly Gold
The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.
The HIPAA Omnibus Rule modified the minimum required contents of business associate agreements. In addition to previously required provisions, business associate agreements must now include provisions that require business associates to:
As we noted in our HIPAA Omnibus reference chart, the HIPAA Omnibus Rule expanded the definition of “business associate” to include subcontractors. This change means that covered entities must obtain satisfactory assurances in the form of business associate agreements from their business associates, and that business associates must do the same with regard to subcontractors who receive PHI. OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor.
The template provisions are a helpful starting point, but additional revisions are advisable. For example, detail regarding notification and mitigation in the event of breach should be added. Indemnification has also become a common business associate provision in light of HITECH’s increased monetary penalties.
Covered entities and business associates have until September 22, 2014 to make any necessary changes to business associate agreements. Any existing agreement modified after the September 23, 2013 Omnibus Rule effective date must include any previously omitted provisions.
For further information on the impact of the HIPAA Omnibus Rule, please register for our January 30 webinar, The New HIPAA Omnibus Rule & Your Liability.
Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.