HIPAA: Business Associate Agreements and Notices of Privacy Practices
The Omnibus HIPAA Final Regulations issued in January required the modification of all existing business associate agreements (entered into after January 25, 2013) and notice of privacy practices to incorporate the items addressed in the final regulations no later than September 23, 2013. Business associate agreements that were entered into prior to January 25, 2013 and were compliant at the time of execution with the Health Information Technology for Economic and Clinical Health (HITECH) need not be revised until September 23, 2014.
The Office for Civil Rights and Office of the National Coordinator for Health Information Technology of the Department of Health and Human Services have collaborated to develop model Notices of Privacy Practices for health care providers and health plans to use to communicate with their patients and plan members. The models reflect the regulatory changes of the Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements. However, health care providers and health plans administrators and sponsors should review the models carefully and tailor the models by adding additional information as necessary to accurately describe and address their specific privacy practices.