One of the requirements of HIPAA-HITECH is that many of the obligations previously imposed on Covered Entities to comply Privacy Security Rules now also are imposed on their Business Associates. In addition, Business Associates are obligated to ensure that their sub-contractors (“sub-Business Associates”) who perform services (either directly or indirectly) on behalf of a Covered Entity also comply with these obligations. A key element in documenting compliance with these requirements is the existence of current Business Associate Agreements, not only between a Covered Entity and its Business Associates, but also between that Business Associate and its sub-Business Associates.
The obligation to enter into a HIPAA-HITECH compliant Business Associate Agreement became effective on September 24, 2013. After that date, every new or renewed Business Associate Agreement is expected to comply with these obligations. This has been the case with respect to Business Associate Agreements between Covered Entities and their Business Associates, as well as between Business Associates and their sub-Business Associates.
However, the Office of Civil Rights (the federal agency responsible for enforcing HIPAA-HITECH) gave Covered Entities and their pre-existing Business Associates an additional twelve months in order to ensure that their Business Associate Agreements complied with the requirements of HIPAA-HITECH. Those twelve months will expire on September 23, 2014. Thereafter, Covered Entities, Business Associates, and sub-Business Associates all will be expected to have Business Associate Agreements that comply with the provisions of HIPAA-HITECH. By way of example, a Business Associate will need to include in its sub-Business Associate’s Business Associate Agreement provisions obligating that party to satisfy a no less stringent reporting obligation timeframe than the timeframe imposed under the Business Associate Agreement between the Business Associate and its Covered Entity. Thus, a Business Associate will need to clearly specify in its sub-Business Associate Business Associate Agreement not only the relevant Covered Entity, but also take steps to impose obligations that do not conflict with or are less stringent than the provisions of its agreement with that Covered Entity.
With the September 24, 2014 deadline rapidly approaching, Covered Entities and Business Associates should review all of their business associate agreements to insure that they comply with the requirements of HIPAA-HITECH.