HIPAA Omnibus Rule: Part 6 (Business Associate Agreements)

The new HIPAA Omnibus Rule requires that some changes to the rules about business associate agreements must be made.

Under the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Fed. Reg. 5566 (Jan. 25, 2013).

  • 45 CFR 164.502(e) requires a business associate agreement between a CE and the business associate. There is a now a parallel requirement between a BA and a subcontractor.
  • The CE does not need a BA with the subcontractor. However, subcontractors down the chain have direct liability under HIPAAA rules.
  • The CE need not inform HHS when termination of the BA arrangement is not feasible. However, BAs and subcontractors have the same reporting obligations as CEs.
  • Whenever the CE delegates responsibility to the BA, the CE is still liable for the BA’s failure to comply with HIPAA. (45 CFR 164.504(e)(2)(ii)(H):

For example, if a third party administrator, as a business associate of a group health plan, fails to distribute the plan’s notice of privacy practices to participants on a timely basis, the third party administrator would not be directly liable under the HIPAA Rules, but would be contractually liable, for the failure. However, even though the business associate is not directly liable under the HIPAA Rules for failure to provide the notice, the covered entity remains directly liable for failure to provide the individuals with its notice of privacy practices because it is the covered entity’s ultimate responsibility to do so, despite its having hired a business associate to perform the function.

  • Important: while section 13404 of the HITECH Act provides that business associates are now directly liable for civil money penalties under the HIPAA Privacy Rule for impermissible uses and disclosures and for the additional HITECH requirements in Subtitle D that are made applicable to covered entities, it does not apply all of the requirements of the Privacy Rule to business associates and thus, the final rule does not. Therefore, business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate, which would then make it a contractual requirement for which contractual liability would attach.
  • With respect to BA agreements with subcontractors: “each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures.”

HHS has published Sample Business Associate Agreement Provisions (as of January 25, 2013) on its website. This is a good working template as a starting point for any BAA.

On the webpage, HHS notes that the BAA must:

(1) establish the permitted and required uses and disclosures of protected health information by the business associate;

(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;

(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;

(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;

(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;

(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;

(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

HHS addresses HIPAA compliance certification very clearly:

The Department declines to establish or endorse a certification process for HIPAA compliance for business associates and subcontractors. Business associates and subcontractors are free to enlist the services of outside entities to assess their compliance with the HIPAA Rules and certification may be a useful compliance tool for entities, depending on the rigor of the program. However, certification does not guarantee compliance and therefore “certified” entities may still be subject to enforcement by OCR.

See our full series of articles:

HIPAA Omnibus Rule: Part 1 (Overview)

HIPAA Omnibus Rule: Part 2 (Business Associates & Subcontractors)

HIPAA Omnibus Rule: Part 3 (Enforcement & Penalties)

HIPAA Omnibus Rule: Part 4 (Security Rule Changes)

HIPAA Omnibus Rule: Part 5 (Privacy Rule Changes)

HIPAA Omnibus Rule: Part 6 (Business Associate Agreements)

HIPAA Omnibus Rule: Part 7 (Notice of Privacy Practices & Other Provisions)

HIPAA Omnibus Rule: Part 8 (Breach Analysis)


The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.

Book your Legal Strategy Session now
Michael H Cohen Healthcare & FDA Lawyers

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

Start typing and press Enter to search