Bradley has begun a multi-part blog series on the US Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), beginning last week with an overview. Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the original publication of the HIPAA Security Rule in 2003 and its last revision in 2013. In this weekly series, we will continue to explore key changes and their implications and provide insight and advice to covered entities and their business associates under HIPAA.
What’s new for BA and BAA?
This week’s installment is about proposed changes that specifically affect business associates (BAs) and business associate agreements (BAAs) and the responsibilities for covered entities related to business associates serving as a HIPAA Security Officer.
Reviews of BAAs
The NPRM requires regulated entities to include within their BAAs the following new provisions:
- Notifying the covered entity (and the business associate’s downstream BAs) within 24 hours of activating its contingency plan;
- Written verification that the BA (and the business associate’s downstream BA) has implemented technical safeguards as required by HIPAA; AND
- Requirements to provide written assurance at least once every 12 months that BA has implemented technical safeguards validated by cyber security experts and certified by a person in authority at BA.
In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering into a BAA with a current or prospective BA based on this written verification.
The revisions will require updates to both the BAA now in effect and any new BAA introduced after the publication of the Final Rule. Similar to the implementation of the HITECH rule in 2013, these required revisions will have an open window for regulated entities to comply. Specifically, the transition provisions of the NPRM state that BAAs will be considered compliant if the following circumstances exist: (1) if the BAA contains the required provisions applicable at the time of publication of the Final Rule, and (2) the BAA has not been renewed or modified within 60 to 240 days after publication of the Final Rule. However, all BAAs must be in compliance within one year plus 60 days after publication of the Final Rule.
These revisions may create a significant administrative burden for small and large regulated entities. In preparation for publication of the Final Rule, regulated entities should review their current BAAs to confirm that these agreements are up to date with the current requirements in effect at the time of execution to take advantage of the compliance ramp. Even under current law, regulated entities may also benefit from updating their vendor management programs to require written verification of technical safeguards based on the level of risk associated with their business associates’ handling of PHI.
Entities covered Delegation of Security Officers
The NPRM also confirms the ability for a covered entity to appoint a business associate as a Security Officer. Importantly, HHS clarifies its view that the covered entity still remains responsible for ultimate compliance with the Security Rule even if the service is contracted to a business associate.
The HHS Office for Civil Rights (OCR) will accept comments until March 7, 2025.
In our next posts in this series, we’ll explore changes to the HIPAA Security Rule affecting group health plans and current thinking about AI technologies.
Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.