Benefit News

Deadline for Updating HIPAA Business Associate Agreements is September 22, 2014

September 18, 2014

The Department of Health and Human Services issued a final rule on January 23, 2013 regarding HIPAA's privacy, security, enforcement and breach notification requirements that resulted in potential changes to business associate agreements (BAA) between covered entities (for example, a health plan) and their business associates.

The deadline for complying with these changes was September 23, 2013. However, the final HIPAA rule included an extended compliance deadline for BAAs that were entered into prior to January 25, 2013 (the date of the final HIPAA rule), and were not renewed or modified between March 26, 2013, and September 23, 2013, to remain compliant until the earlier of (1) September 23, 2014; or (2) the date the agreement was renewed or modified after September 23, 2013.

The transition rule extended the time for the paperwork only-it did not extend the time allowed for the covered entity and business associate to comply with the changes made by the final HIPAA rule.

Significant Changes For Business Associates in HIPAA Final Rule

Expanded Definition of "Business Associate"

The final HIPAA rule expanded the definition of "business associate" to include all entities that create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity, including subcontractors. Also, the final rule clarified that entities that store PHI, in hard copy or electronic format, are business associates even if they do not access, use or disclose that information.

A business associate that contracts with a subcontractor, and not the covered entity, is required to enter into a business associate agreement with the subcontractor. A covered entity must also obtain satisfactory assurances (through a BAA) from its business associates that they will appropriately safeguard PHI. Business associates must do the same with regard to their subcontractors and so on, no matter how far "downstream" the information flows.

New Compliance Obligations

The final rule also clarified the privacy and security provisions that directly apply to business associates, and noted that business associates are directly liable for failing to comply with these requirements. For example, business associates are directly responsible for complying with:

  • The HIPAA Security Rules' administrative, physical and technical requirements for safeguarding electronic PHI and implementing policies and procedures for protecting electronic PHI;
  • The Privacy Rules' restrictions on the use and disclosure of PHI; and
  • Reporting breaches of unsecured PHI to a covered entity in compliance with HIPAA's breach notification requirements

Employer Action Items

Covered entities, including health plans, and business associates should review their BAAs to confirm that they are up-to-date with the final HIPAA rule.

For additional information, please contact your Burnham Benefits Consultant, Burnham Benefits at 949-833-2983, or

Back to Updates