Don’t forget the 23 September 2014 deadline to ensure your business associate agreements comply with the Omnibus Final Rule

By Marcia L Augsburger

Under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule published 25 January 2013, 78 Fed. Reg. 5566, covered entities (CEs) with business associate agreements (BAAs) that were entered on or before 25 January 2013 and that were not modified after 26 March 2013 must revise their BAAs by 23 September 2014 as necessary to ensure compliance with the Final Rule. If you are a CE or a business associate (BA) and have not done so already, you may want to inventory all existing BAAs and related subcontracts. If they were executed on or before 25 January 2013, you may need to send revised agreements or amendments to the other contracting parties.

We suggest CEs and BAs pay particular attention to terms requiring the reporting of security incidents. Under the Final Rule, contracts between CEs and BAs must include provisions that require BAs to report to CEs any security incidents of which they become aware. 45 CFR § 164.314(a)(2)(i)(C) and (b)(2)(iv) defines ‘security incident’ as ‘the attempted or successful unauthorised access, use, disclosure, modification or destruction of information or interference with system operations in an information system’…

Click on the link below to read the rest of the DLA Piper briefing.

Briefings from DLA Piper

View more briefings from DLA Piper

Analysis from The Lawyer

View more analysis from The Lawyer


3 Noble Street

Turnover (£m): 1,539.00
No. of lawyers: 4,374(UK 200)
Jurisdiction: Global
No. of offices: Over 75
No. of qualified lawyers: 625 (International 50)