REMINDER: Compliance Deadline for all Business Associate Agreements is Monday, September 22, 2014
The Centers for Medicare & Medicaid Services (CMS) has set September 22, 2014 as the final deadline for all business associate agreements to be in compliance with the HIPAA Omnibus Rule. Both covered entities and business associates who deal with each other and/or subcontractors must review all of their business associate agreements to ensure that any involving the disclosure of personal health information (PHI) are in compliance. Examples of business associates would be those involving billing, consulting, storage facilities, shredding facilities, claims processing, data analysis, quality assurance, legal services, etc.
Although the initial deadline for compliance was September 13, 2013, there was an exception put in place for business associate agreements that were in existence prior to January 25, 2013 that were not modified or renewed. However, come September 22, 2014, all of the business associate agreements, including the aforementioned exceptions, must now be in compliance.
When reviewing the business associate agreements, the parties should pay attention to the breach notice requirements, indemnification/damage limitations, insurance requirements, permitted disclosure of PHI, safeguards in place for PHI and termination requirements to ensure that they include language that complies with the HIPAA Omnibus Rule as well as the underlying business agreements for the services provided. It would be wise to maintain a log/spreadsheet of all business associate agreements in place in order to track them for compliance and renewal purposes.
For more information or if you need assistance complying with the HIPAA Omnibus Rule, please contact your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.