The September 22, 2014 deadline to revise business associate agreements (BAA) may have seemed like a date far into the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is just around the corner as we continue to move along the road toward establishing and maintain compliance with the HIPAA privacy and security rules.
This date in September is notable because many organizations—both covered entities (CE) and business associates (BA)—find themselves dealing with the need to update or revise their BAAs. CEs were allowed to use existing BAAs for an additional year following the September 23, 2013 omnibus rule compliance date. Essentially, this meant that BAAs in place prior to January 25, 2013, which were not going to expire prior to September 22, 2013, could continue to be used until September 22, 2014. This gave BAs and CEs 18 months to determine what changes were needed to comply with the omnibus rule and then update or revise their BAAs accordingly. Despite the window of opportunity to address the issue of updating BAAs, it seems from my perspective that the majority of activity related to this task began occurring about a month or so before September 22, 2014.
HHS posted a sample BAA on its website January 25, 2013.  In the second paragraph of the introduction, HHS lists 10 items that must be included in the written contract between a CE and its BA. Even though CEs and BAs may have recently updated their BAA in time for the compliance date, I believe it is worth the time to review these updated agreements and ensure they include the requirements identified in the HIPAA omnibus final rule.
Editor’s note: This post is adapted from an article written by Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, for HCPro’s Briefings on HIPAA (BOH).  Look for the complete article in an upcoming issue of BOH. Ruelas is a BOH editorial advisory board member.