September 22 Deadline Looms: Less than Three Weeks Remain to Update Business Associate Agreements Under Final HIPAA Omnibus Rule


On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published its final HIPAA omnibus rule (“Omnibus Rule”) aimed at strengthening the privacy and security protections for health information. The year-long, extended “transition period” for covered entities and business associates to comply with the new business associate agreement requirements is drawing to a close, and the deadline for revising all business associate agreements under the Final HIPAA Omnibus Rule is September 22, 2014.

The Omnibus Rule marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996, according to some industry observers. One of these changes requires covered entities and business associates to modify their existing business associate agreements to implement the new requirements of the Omnibus Rule. Failure to revise a business associate agreement will constitute a violation of HIPAA subject to the enhanced HIPAA civil monetary penalties.

Except for certain existing agreements, covered entities and business associates were required to comply with the new business associate agreement requirements by September 23, 2013. To minimize the administrative burden and cost of revising certain existing agreements, however, HHS provided a “transition period” that would allow covered entities and business associates to continue to operate under certain existing contracts for up to one year beyond the original compliance date. Specifically, HHS extended the deadline for revising business associate agreements in place as of January 25, 2013, and not renewed (excluding auto-renewals) or modified between March 26, 2013 and September 23, 2013, until the earlier of:

  1. the date the agreement is renewed or modified, or
  2. September 22, 2014.

Accordingly, all business associate agreements (including those between business associates and their subcontractors) must comply with the requirements of the Omnibus Rule by no later than September 22, 2014.

For additional information on the final HIPAA Omnibus Rule and its impact on business associate agreements, please contact Colbey Reagan, Kevin Page or any member of Waller’s Healthcare Compliance & Operations Practice at 800-487-6380.



The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.