HIPAA Rule Update: Extended Compliance Time for “Grandfathered” Agreements
Health Law Update 01/22/13 Sarah E. Coyne
As we noted in a previous update (http://www.quarles.com/HIPAA-privacy-security-breach-notification-enforcement-rules-2013/), on January 17, 2013 the Department of Health and Human Services (DHHS) released the final rule implementing changes to HIPAA, mandated by the HITECH Act. The effective date for the final rule is March 26, 2013, but covered entities have 180 days to comply with the applicable requirements, meaning the compliance date for the new rules will be September 23, 2013.
Like the current rules, the new rules require covered entities to enter into HIPAA-compliant agreements with business associates prior to disclosing protected health information. Business associates, in turn, have the same obligation with respect to subcontractors. Depending on the content of your current agreements, these changes may require revisions to your business associate and/or data use agreements (I know - just what you wanted to hear!). However, the September 23, 2013 compliance date should not frighten you (unless you are an overworked health care lawyer, reading the rule in the middle of the night with bleary eyes and a healthy dose of paranoia). DHHS included a transition period in the final rule, allowing covered entities and business associates to continue operating under certain existing contracts for up to one year beyond the compliance date.
Business Associate Agreements
Under the final rule, business associate agreements that are entered into prior to January 25, 2013 will be deemed to be compliant with the documentation requirements of the final rule. This applies as long as the agreements were (1) compliant with the applicable provisions of the Privacy Rule that were in effect at the time and (2) are not renewed or modified between the Effective Date (March 26, 2013) and the Compliance Date (September 23, 2013) of the rule. This "grandfathered" status is temporary, intended only to allow covered entities and business associates the time to review and revise their current agreements. Such agreements will only be "grandfathered" until the earlier of (1) the date such agreement is renewed or modified on or after the Compliance Date (September 23, 2013) or (2) September 22, 2014. For agreements that automatically renew without changes in terms (sometimes referred to as "evergreen contracts"), the automatic renewal will not affect the "grandfathered" status of the agreement unless the parties modify the terms of the agreement. Got all that? It's contract talk.
Don't be frightened by the upcoming January 25 deadline. There should not be a need for anyone to scramble to get agreements in place by that date. If you do not have compliant business associate agreements, you will have until September 23, 2013 to enter into agreements that reflect the changes in the final rule. The "grandfathered" status will only apply to those covered entities and business associate who already have entered into HIPAA-compliant agreements. If you fall into this category, you will have an additional year (until September 22, 2014) to revise those agreements to comply with the new requirements. If you have already revised your agreements to account for changes in the HITECH Act, it is possible that your agreements will not require any further revisions.
It is important to note that the "grandfathered" status applies only to HIPAA documentation requirements and not to any substantive privacy obligation. Covered entities and business associates will still have to comply with the rest of the final rule as of the Compliance Date. So, beginning on September 23, 2013, a business associate may not use or disclose protected health information in a manner contrary to the Privacy Rule, regardless of whether the business associate agreement has been amended. In other words, a very lousy response to a scrutinizing regulator would be, "It doesn't matter that I emailed a bunch of PHI through a non-secure gateway to my home computer because I have a compliant business associate agreement with myself!"
Data Use Agreements
The final rule created new restrictions on the sale of protected health information that may affect arrangements between covered entities and business associates, particularly if those arrangements involved payment for disclosure of protected health information. Nevertheless, the final rule allows covered entities to continue to disclose protected health information in a limited data set, even if such disclosure would otherwise constitute a sale of protected health information under the final rule, as long as it is done pursuant to a data use agreement entered into prior to January 25, 2013, and which complies with the current requirements at 45 CFR 164.514(e). As with business associate agreements, this "grandfathered" status applies only until the earlier of (1) the date such agreement is renewed or modified on or after the Compliance Date (September 23, 2013) or (2) September 22, 2014.
Stay tuned for further updates on the new HIPAA rules.