Under HIPAA a Covered Entity has been required to have a Business Associate contract or as it is commonly known, a Business Associate Agreement (“BAA”) with each of its BAs. BA HIPAA responsibility to protect PHI was based only on the BA’s contractual responsibilities with Covered Entity. HIPAA compliant BAAs in effect before January 25, 2013 may be used until September 23, 2014 if not revised earlier.
However, BA compliance with the Omnibus Rule becomes mandatory on September 23, 2013. Therefore it is in the best interest of Covered Entities to review and revise their BAAs to comply with HIPAA requirements in effect as of September 23, 2013 regardless of whether they have a BAA that is effective because it is “grandfathered” through September 23, 2014.