In certain circumstances, the Final Rule allows additional time (in addition to the 180-day compliance period) to revise business associate agreements to make them compliant. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business associate agreements for up to one year beyond the compliance date (until September 22, 2014) if the business associate agreement:
Explore This Issue
May 2013- Is in writing;
- Was in place prior to January 25, 2013 (the publication date of the Final Rule);
- Is compliant with the Privacy and Security Rules as in effect immediately prior to January 25, 2013; and
- Is not modified or renewed.
This additional time for grandfathered business associate agreements applies only to the written documentation requirement. Covered entities, business associates and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business associate agreement qualifies for grandfathered status.
*The exceptions relate to 1) unintentional, good faith access, acquisition or use by members of the covered entity’s or business associate’s workforce; 2) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure; and 3) good faith belief that the unauthorized recipient would be unable to retain the PHI.
Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. He may be reached at sharris@mcdonaldhopkins.com.
Reprinted with permission from the American College of Rheumatology.