The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013. Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.
Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements. Let me explain…
The Final HIPAA Mega Rule includes an up-to-one-year extension for covered entities (CEs) and business associates (BAs) to revise their BA Agreements if the agreements were entered into and compliant with HIPAA as of January 25, 2013, the communicated date of formal publication of the new rule in the Federal Register.
This so-called “grandfathering provision” provides for the following:
- If CEs and BAs have a *HIPAA compliant agreement* in place (fully executed and signed) *before* January 25, 2013, and the agreement is not renewed between March 26, 2013 and September 23, 2013, then they can use that agreement until 9/23, 2014.
- If the CEs and BAs do *NOT* have a HIPAA compliant agreement in place prior to January 25, 2013, then they will need to enter into a compliant agreement by 9/23/2013 (one year earlier than for grandfathered agreements described in the previous bullet.)
The exact verbiage, if you prefer, follows:
§ 164.532 Transition provisions.
:
(e) Implementation specification: Deemed compliance. (1) Qualification.
Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if:
(i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §§ 164.314(a) or 164.504(e) that were in effect on such date; and
(ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013.
Note that regardless of the situations described above, if an agreement is renewed between 9/23/2013 and 9/23/2014, it must comply with the new rule.
So, what is the benefit of rushing to get new contracts executed before tomorrow? The CEs and BAs will then have until 9/23/2014 to revise the BA Agreement to meet the new requirements.
Well then, should organizations rush to get such contracts executed before Friday? For most organizations I would recommend not, unless they were already in the midst of working on BA Agreements and have already spent a lot of time on it, and determined the conditions will provide sufficient safeguards during that extra year they would have to get a new contract in place, and that the BA will be in compliance with the specified requirements as they currently exist.
Otherwise, if a BA Agreement is not entered into before this Friday (TOMORROW!), all BA Agreements executed on or after this Friday (1/25/13) will need to be revised by 9/23/2013, to be in compliance with the new HIPAA “Mega Rule”. Realistically, this would mean that the BA Agreements should be thoughtfully changed over the coming weeks, so that going forward all the new requirements are incorporated. Rushing to do something today could lead to costly errors and oversights. Based upon a couple of decades of experience dealing with information security and privacy contracting situations, I’ve found that it is usually better to do it right the first time instead of rushing to meet a deadline simply to get one more year to put something off.
So, in summary…
Unless a CE and BA have already spent a lot of time working on a BA Agreement, in most cases it will be better to take the time between now and 9/23, 2013, to ensure not only that the contract is updated correctly, but also to ensure that the BA will actually be performing everything the contract specifies: both the prior still existing, and new, requirements.
Most CEs are scrambling now to simply figure out WHO their BAs are, and IF they already have some type of agreement with them.
I am currently working on updating the BA Agreement that we have in our Compliance Helper Forms library so that it meets the new requirements. This in addition to updating all the other Policies, Procedures and compliance Tasks within Compliance Helper to meet all the new HIPAA Final Mega Rule requirements. (NOTE: I’m really psyched by the feedback from clients on how well this service works for them! 🙂 )
And now, a point that is *VERY* important for all the CEs and BAs to understand…
All the other, many, HIPAA Mega Rule requirements will still need to be complied with by 9/23, 2013!
This grandfathering *only applies to the BA Agreement updates*.
Tags: BA, BA Agreement, business associate, compliance, Compliance Helper, covered entity, federal register, Final Rule, healthcare, herold, HHS, HIPAA, HITECH, Information Security, Mega Rule, OCR, privacy, privacy professor, Rebecca Herold, security