Exclamation question mark

As a quick followup note to our earlier post about the new HIPAA final rule there is a significant, but easily overlooked, timeline for implementation of Business Associate Agreements (BAA’s)!

If you implement (draft and signed between the parties) a Business Associate Agreement BEFORE FRIDAY JANUARY 25, 2013  you will have 1 Extra Year to fully comply with various portions of the new business associate rules!

The new rule places a deadline of SEPTEMBER 23 2013 for covered entities and Business Associates to be compliant with various portions of the new requirements!!!

HOWEVER, if covered entities implement a basic form of Business Associate Agreement (BAA) by or before JANUARY 25 2013, those “basic” agreements will be considered as a sufficient step towards compliance to extend the time when the full weight of the new rules will be in effect!!!

Instead of mandatory full compliance with all the new rule requirements BY 09-23-2013 — a full year “grace period” will granted, delaying such full compliance until September 23, 2014!!!

As long as those “basic” Agreements which were in place by or before 01-25-2013 the reprieve from full compliance with the new rules will stay in place AS LONG AS the BAA’s are not changed or renewed before the end of the extended “grace period.”

If you don’t have a “basic” HIPAA-compliant agreement in place with your Business Associate by 01-25-2013, the full weight of the new rules will be in effect, and force your compliance on 09-23-2013.

This extension IS CRITICAL – to many organizations who are short on staff, time and money – an extra year to put policies and procedures in place is INVALUABLE!!!

Because we truly care about our clients and the industry we are posting BOTH:
1 – The “basic” model of BAA posted by CMS/HHS several years ago;


2– Our own BAA, which we have used for years – this form is comprehensive and generally applies between a Covered Entity and a Business Associate – but – if needed it could be easily modified to apply between BA’s and their Subcontractors (modifications are up to the end users!)

Exclamation     Because we have never posted one of our “forms” we feel that we must explain the following: This form is given free of charge and IN NO
WAY WHATSOEVER  implies or should be considered as legal advice – or the establishment of legal representation period – it
is subject to all limitations below!

Read Below Before Downloading!

No warranties of any form or sort – express or implied  – are given with this form – this means IN NO manner, variation, or theory is any sort of guarantee or warranty included with this form whatsoever!

By downloading either form mentioned here the person or entity downloading this form IS AGREEING ALL of the Following:

The form is in no way guaranteed for accuracy, content, suitability, or even usefulness –

YOU AGREE also that you are downloading it at your own risk, and the result will be as if you had picked this up off of a street corner where someone left it –

You Agree Pearson & Bernard PSC – nor any of its partners or associates are in any way responsible for your use of either document; that Pearson & Bernard PSC cannot and will not ever be responsible for how you use either document – and that neither is legal advice or in any way legal representation!

1.  To download a Microsoft Word Document version of CMS “example” click –> CMS SAMPLE Business Associate Contracts
(this was copied and pasted from CMS website into a blank word document)

2.  To download a Microsoft Word Document example version of “our” (this Firm’s) BAA click –> Blank Example BAA


NEW HIPAA / HITECH Rules for Business Associates and Subcontractors

HHS Building 320x213

On January 17, 2013 the Dept. of Health and Human services (HHS) released a new final rule which made significant changes in various parts of the HIPAA/HITECH rules. As most readers know the pressures of protecting patients’ “protected health information” (PHI) are continually escalating. In some respects the new rule relieves the Covered Entities from some of those pressure.

How? By expanding the rule to make Business Associates, and their “sub-contractors” directly liable for ensuring the proper measures of security are in place to protect PHI. Naturally, the 563 page final rule has numerous topics and issues for the entire industry. But, in the short-term we need to call attention to the fact that essentially Business Associates must get assurances from their subcontractors! What assurances? Basically, assurances that the subcontractors (those who have “access” to PHI held by the Business Associate) will comply with the regulations and rules surrounding the use/disclosure/transmittal of PHI.

How about an example to clarify this:

A law firm (lets call them Firm) is a business associate of a covered entity (lets call them Agency).

So Firm and Agency have a business associate agreement (BAA) in place, and they have had it in place for years, because both Firm and Agency are doing their best to be compliant.

Prior to this new final rule, Firm had a responsibility to Agency to safeguard Agency’s PHI through the various requirements of the BAA. There was no “rule” requiring Firm to set up subsequent BAA’s with its subcontractors.

Now the new final rule requires Firm to set up BAA’s with its subcontractors.

Which subcontractors does Firm need to do this with?

Simply put, anyone  the Firm has hired as subcontractor if that subcontractor has access to PHI kept by the Firm. The new rule has published various comments about how expansive this requirement is, but boiled down to the bare essence of the matter, if the subcontractor has access to PHI there needs to be a BAA in place between Firm and subcontractor.

A prime example would be the Firm’s IT contractor. If Firm has hired someone (not an “in-house” employee) to manage its server and the Firm’s server has PHI, then the IT contractor access to PHI (assuming Firm has stored some PHI from Agency on its server).

Hopefully that plain “bare-essentials” example helped clarify this issue.

Quite notably, a short part of the new rule echos what is written above, it states:

“The Department also believes that the privacy and security protections for an
individual’s personal health information and associated liability for noncompliance with
the Rules should not lapse beyond any particular business associate that is a
subcontractor. Thus, under the final rule, covered entities must ensure that they obtain
satisfactory assurances required by the Rules from their business associates, and business
associates must do the same with regard to subcontractors, and so on, no matter how far
“down the chain” the information flows.”

This new final rule will become effective on March 26, 2013. Covered entities and business associates must comply with the rules by September 23, 2013. We will continue to review and examine the 563-page final rule we will continue to post relevant updates accordingly.

For anyone interested the  pdf document of the new final rule can be accessed by clicking here.

Information that is provided here is NOT LEGAL ADVICE !

This website is an Advertisement.

Copyrighted Materials

All original information is the Intellectual Property of the Author.

Original works and materials may not be reproduced in any manner without prior approval.