Not a Lexis+ subscriber? Try it out for free.

Health Care

DLA Piper: Don’t Forget the Sept. 23 Deadline to Ensure Your Business Associate Agreements Comply with the HIPAA Omnibus Final Rule

By Marcia L. Augsburger

Under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule published January 25, 2013, 78 Fed.Reg. 5566, Covered Entities (CEs) with Business Associate Agreements (BAAs) that were entered on or before January 25, 2013 and that were not modified after March 26, 2013 must revise their BAAs by September 23, 2014 as necessary to ensure compliance with the Final Rule. If you are a CE or a Business Associate (BA) and have not done so already, you may want to inventory all existing BAAs and related sub-contracts.  If they were executed on or before January 25, 2031, you may need to send revised agreements or amendments to the other contracting parties.

We suggest CEs and BAs pay particular attention to terms requiring the reporting of Security Incidents.  Under the Final Rule, contracts between CEs and BAs must include provisions that require BAs to report to CEs any Security Incidents of which they become aware.  45 CFR § 164.314(a)(2)(i)(C) & (b)(2)(iv) defines "security incident" as "the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system."

However, this definition and the reporting requirements are less concrete than they may appear. As stated in the preamble to the Security Rule, 68 Fed. Reg. 8350 (February 20, 2003), covered entities may determine what will constitute a Security Incident in the context of their business operations. Specifically, based on information gathered in complying with other security standards, entities may decide in advance: 

  • What specific actions will constitute a Security Incident in the context of their business operations
  • How incidents will be documented, including what information should be contained in the documentation
  • What incidents must be reported, how often and to whom, and what information reports should include
  • What other responses will be deemed appropriate to specific kinds of incidents and
  • Whether identifying patterns of attempted security incidents is reasonable and appropriate under the circumstances.

Indeed, CEs may decide that certain types of attempted or successful security incidents or patterns of attempted or successful incidents warrant different actions. For example, a CE may decide that a “ping” (a request-response utility used to determine whether a specific IP address, or host, exists or is accessible) warrants (1) minimal, if any, response; (2) no mitigation since no harmful effects were caused by the incident; and/or (3) brief documentation of the Security Incident and outcome.

If you are a CE, consider amending your BAAs, policies, procedures and/or notices of privacy practices to define "Security Incident" with particularity and to address the above.  At a minimum, you should provide written notice of your definitions and requirements to your BAs if you have not yet done so.

If you are a BA, we suggest you request information from the CEs with which you contract about what actions constitute a Security Incident, how such incidents should be documented, and what type of reporting and/or record-keeping they require.

You may also wish to use the September 23, 2014 deadline as an opportunity to address ownership of PHI, how PHI may be de-identified, private dispute resolution and any other matters that were not addressed in your early BAAs.

Published by DLA Piper LLP (US)
Copyright © 2014 DLA Piper LLP (US)
All Rights Reserved

This bulletin is intended as a general overview and discussion of the subjects dealt with. It is not intended, and should not be used, as a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.

Circular 230 Notice: In compliance with US Treasury Regulations, please be advised that any tax advice given herein (or in any attachment) was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax penalties or (ii) promoting, marketing or recommending to another person any transaction or matter addressed herein.

You are receiving this communication because you are a valued client or friend of DLA Piper.

DLA Piper LLP (US) is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com. All rights reserved.

For more information about LexisNexis products and solutions, connect with us through our corporate site.