Are Your Business Associate Agreements Up to Date? Recent Settlement Highlights Importance

Care New England Health System (CNE) recently paid $400,000 to settle allegations of HIPAA violations on behalf of covered entities for which CNE had performed administrative and technical services subject to a business associate agreement.

CNE and the covered entities’ failure to update their business associate agreement to conform to the changes required by the HIPAA Omnibus Final Rule was one of the allegations giving rise to the settlement following the loss of unencrypted backup tapes containing protected health information.

All covered entities and business associates were required to comply with the Final Omnibus Rule in 2013, which requires updating certain provisions of business associate agreements.  The Office of Civil Rights (OCR) of the Department of Health and Human Services – the entity that enforces the HIPAA Regulations – found that the covered entities for which CNE provided services had not updated their business associate agreements since 2005.

Key provisions that were changed by the Final Omnibus Rule and which must be included in business associate agreements include:

  1. Language indicating that the business associate will comply with the Covered Entity’s minimum necessary policies or specified minimum necessary requirements
  2. If the business associate is to carry out any HIPAA obligations for the covered entity (e.g., providing Notice of Privacy Practices to patients or responding to patients’ rights to access), then language must be included requiring the business associate to carry out such obligations in compliance with HIPAA
  3. Language indicating that the business associate will comply with the HIPAA Security Rule
  4. Language indicating that the business associate will comply with the Breach Notification Rule
  5. Language indicating that the requirements and obligations contained in the business associate agreement will be passed on to subcontractors of business associate (“downstream business associates”)


Sample language that complies with the Final Omnibus Rule can be found on the OCR’s website.  Our firm also offers free 15 minute consultations for potential covered entity or business associate clients who would like to further discuss the requirements.  Please use our contact form to schedule a consultation.


Speak Your Mind