An organization’s Business Associate (BA) Agreements may need to be amended or updated to comply with the Final Rule. Under the new regulations, BA Agreements must now require that the BA will do the following:
1) Comply, where applicable, with the HIPAA Security Rule
2) Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules
3) Make certain that any subcontractors that create or receive PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA (there must now be a BA Agreement in place between a BA and its subcontractors in these circumstances)
4) Comply with the requirements of the HIPAA Privacy Rule whenever the BA is required to perform the Covered Entity’s obligation under the Privacy Rule. BA Agreeements entered into prior to 1/25/13, between Covered Entities and BA’s (as well as BA’s and their subcontractors) that are not renewed or modified between between 3/26/13 and 9/23/13 and that met the requirements of HIPAA and HITECH prior to 1/25/13, will be granted grandfathered status and deemed to continue in compliance until 9/23/14 or the date the contract is renewed or modified, whichever occurs first. All other BA Agreements must be in compliance with the new regulations by 9/23/13.
Taken in part from: Miller & Martin, PLLC 3/8/2013