[NOTE: Due to haste in drafting and inept editing on my own part, I left out the key word “not” in the sentence discussing automatically renewing or “evergreen” contracts, now inserted in RED in the second paragraph. Obviously this reversed the meaning. My actual interpretation, based on some rather unclear discussion by OCR in the Megarule Preamble, 78 Federal Register at 5603, is that an automatically renewing/evergreen contract which is was in place as of January 25, may remain in place until September 24, 2014, unless amended or (non-automatically) renewed before then. Sorry about the confusion, mea culpa!]
Business Associate Contracts which are compliant with HIPAA probably are not going to include all provisions needed to be compliant with the new HITECH requirements as well. Because a compliant Business Associate Contract is a regulatory requirement, failure to have a HITECH-Compliant Business Associate Contract as of the date such a contract is a required will expose both Covered Entity and its Business Associate, or a Business Associate and its downstream Business Associate, to civil monetary penalties.
DHHS recognized that there is some burden involved in amending existing Business Associate Contracts, and so allows for some existing contracts to be “deemed compliant.” A HIPAA-Compliant Business Associate Contract which is “deemed compliant” satisfies the requirement to have a Business Associate Contract in place until the date on which the parties are required to implement a HITECH-Compliant Business Associate Contract. This status continues until the later of the date on which the contract or arrangement to which the Business Associate Contract applies is amended or renewed (if it is NOT an automatically renewing or “evergreen” contract) or September 24, 2014. Parties to a Business Associate Contract which is “deemed compliant” therefore have an additional year to negotiate and establish a HITECH-Compliant Business Associate Contract, if the underlying agreement or arrangement is not amended or renewed.
This “deemed compliant” provision applies to Business Associate Contracts between Business Associates and Subcontractors as well as those between Covered Entities and Business Associates, but it is not clear whether this has much practical value. It must be hoped that DHHS would accept a contract between a Business Associate and a Subcontractor which met the criteria for a HIPAA-Compliant Business Associate Contract as “deemed compliant,” since DHHS wrote the regulations to allow for such contracts in the first place. However, it is not clear that many contracts between Business Associates and Subcontractors are in fact fully HIPAA-compliant, since they didn’t have to be. This is even more likely to be the case for Lower Tier Business Associates. As a practical matter, then, very few HIPAA-related contracts between Business Associates and Subcontractors are likely to be “deemed compliant.”
The timing rules for determining which contracts are “deemed compliant” are somewhat convoluted for reasons which are not altogether clear. Regulations only become effective 60 days after they are published in the Federal Register, so a January 25 Federal Register publication date means the Omnibus Rule has an effective date of March 26. DHHS also provided for a 180 day period before compliance with the Omnibus Rule is required, giving a Compliance Date of September 23.
For whatever reason, DHHS chose the Federal Register publication date rather than the effective date as the cutoff for “deemed compliant” Business Associate Contracts. HIPAA-Compliant Business Associate Contracts which are in effect as of January 25 are therefore “deemed compliant” if they are not amended or renewed during the period between the March 26 effective date and the September 23 Compliance Date.
This leaves open the question of what happens if a Business Associate Contract is in effect as of January 25 and there is an amendment or renewal before March 26 but not between March 26 and September 23. The prudent assumption would probably be that it amendment or renewal between January 25 and March 26 would also cause a Business Associate Contract to no longer be “deemed compliant.”
However, it should also be noted that there is no actual obligation to enter into or have in place a HITECH-Compliant Business Associate Contract before September 23, since there is no provision excepting the Business Associate Contract provisions from the overall Omnibus Rule Compliance Date of September 23. As a practical matter it will probably be better to use a HITECH-Compliant Business Associate Contract for any new agreements established after January 25 which will continue past September 23, since any non-compliant Business Associate Contract will have to be replaced or amended to be compliant by that date anyway.
It would probably also ideally be better to use a HITECH-Compliant Business Associate Contract for any amendments or renewals affecting existing Business Associate Contracts occurring after January 25. However, if it is not practical to do so there don’t seem to be any regulatory consequences unless the non-compliant contract continues past September 23, 2013. Parties to such agreements or arrangements therefore would have until September 23, 2013 to settle on a HITECH-Compliant Business Associate Contract, if they were not able to negotiate one before.
The following rules therefore apply to the implementation of HITECH-Compliant Business Associate Contracts:
(i) The date on which the agreement or arrangement it applies to is renewed or amended on or after September 22, 2013, or
(ii) September 24, 2014.
© 2013 John R. Christiansen