The HIPAA Final Omnibus Rule is quickly approaching its one-year anniversary, yet many organizations are still feeling the pressure of a time crunch to create updated business associate agreements. As the one-year grace period extended to existing BAAs comes to a close, here are six steps to take to ensure you are fully compliant.

The infamous September 23, 2013 deadline required that covered entities and business associates were to comply with the updated Privacy, Security, Breach and Enforcement provisions. One of the major tasks that covered entities and business associates had to tackle to ensure compliance was to review and update, as necessary, business associate agreements (BAA). Omnibus required that covered entities enter into BAAs with their business associates and business associates enter into BAAs with their subcontractors, as defined by HIPAA.

Time’s up!

According to the Final Rule, BAAs entered into after January 25, 2013 were to comply with the new requirements by September 23, 2013.  A one-year grace period for grandfathered business associate agreements that were entered into prior to January 25, 2013, and not renewed between March 26, 2013 and September 23, 2013, was factored into the Final Rule.

The grace period will end on September 23, 2014, meaning that all noncompliant BAAs must be updated to ensure that they meet the Omnibus requirements and include the appropriate new obligations on business associates.

A roadmap to compliance

If your organization has any outstanding BAAs here are a few helpful steps:

  1. Work with your legal counsel to review and update as necessary your current BAA
  2. Create and / or review your current inventory list of Business Associates and /or Subcontractors
  3. Determine if there are any outstanding BAAs pursuant to the grandfathered one-year grace period
  4. Send updated BAAs that include the new requirements and obligations the applicable parties
  5. Update your Business Associate/Subcontractor inventory list as newly signed BAAs come into your organization
  6. Make documentation if a Business Associate and / or Subcontractor refuses to sign the updated BAA and discuss with your legal counsel the next appropriate steps

Want more helpful HIPAA tips sent directly to your inbox? Sign up for our newsletter here.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.