In certain circumstances, the Final Rule allows additional time (in addition to the 180-day compliance period) to revise business associate agreements to make them compliant. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business associate agreements for up to one year beyond the compliance date (until September 22, 2014) if the business associate agreement:
- Is in writing;
- Was in place prior to January 25, 2013 (the publication date of the Final Rule);
- Is compliant with the Privacy and Security Rules as in effect immediately prior to January 25, 2013; and
- Is not modified or renewed.
This additional time for grandfathered business associate agreements applies only to the written documentation requirement. Covered entities, business associates, and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business associate agreement qualifies for grandfathered status.
*The exceptions relate to 1) unintentional, good faith access, acquisition, or use by members of the covered entity’s or business associate’s workforce; 2) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure; and 3) good faith belief that the unauthorized recipient would be unable to retain the PHI.
Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. He may be reached at [email protected].
To-Do List for Final Rule Compliance
- Covered entities and business associates should review their business associate agreements and determine whether the agreements qualify for grandfathered status and enter into new business associate agreements by the compliance date (September 23, 2013).
- Covered entities and business associates will need to review their policies and procedures prior to the compliance date so that they can implement all necessary changes.
- Notices of Privacy Practices will need to be revised and appropriate training should be provided to personnel of covered entities and business associates prior to the compliance date.
- Any vendor or business that performs functions for a covered entity or another business associate involving the use or disclosure of PHI should determine whether it is a “business associate” and, if so, what needs to be done in order to comply with the Final Rule by the compliance date.
