If you’ve been reading my blogs over the past year, you already know that you have to have Business Associate Agreements, or Business Associate Subcontractor Agreements* in place for all contractors that handle any of your PHI. Well, there was a little provision in the Omnibus ruling that stated that Business Associate Agreements enacted before January 25, 2013 were grandfathered in – until now. They will no longer be considered valid after September 23, 2014.
When was the last time you reviewed your Business Associate Agreements?
If it’s been a while, chances are your current agreements will no longer be valid by the end of this month. This means you need to have new agreements in place that are updated to comply with the new Rule. (Our Business Associate and Business Associate Subcontractor Agreements satisfy the requirements in the Omnibus Ruling.)
Before you sign these agreements, this is a great time to review those Privacy and Security Policies and Procedures, training logs and Notice of Privacy Practices from your Business Associates. It’s also a fantastic idea to ask your Business Associates to see any agreements they have with their Subcontractors and what they do with your information. You want to know if your cloud storage company is outsourcing your data to another company and where your email encryption company stores their encryption keys, etc.
How often do you need to update those Business Associate Agreements?
It’s a good business practice to periodically update your Business Associate Agreements every 2-3 years, barring any major changes in the law, security incidents or breaches.