Skip to Main Content
Thought Leadership

HIPAA Deemed Compliance Period Ends Next Month



August 22, 2014

The U.S. Department of Health and Human Services (HHS) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.

What This Means To You

As of September 22, 2014, business associate agreements must require that business associates:

  • comply with the security rules with respect to electronic protected health information (PHI);
  • obligate all subcontractors to comply with the same restrictions and conditions that apply to the business associate;
  • report security incidents and breaches of unsecured PHI to the covered entity; and
  • to the extent the business associate will carry out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity.

If you are a covered entity, you must identify your business associates and update business associate agreements by Sept. 22, 2014. If you have any questions, please contact Husch Blackwell attorney Deborah Hiser.


Stay updated.

Subscribe to receive Husch Blackwell’s news and insights.

Select your preferences