Business Associate Obligations and Agreements: Aftermath of the HIPAA Omnibus Rule 2017

More than three years following the publication of the 2013 Omnibus Final Rule that implements HIPAA and HITECH, covered entities, business associates, and subcontractors continue to struggle with the negotiation, documentation, implementation, and ongoing performance of their respective HIPAA-related responsibilities. Potentially complicating that process, when negotiating business associate agreements between covered entities and business associates, and between business associates and their subcontractors, the parties often unnecessarily overreach by raising topics and seeking to impose obligations unrelated to the business associate's obligations under HIPAA, and thereby pursuing unnecessarily complex and onerous terms.

Recent enforcement actions provide a framework within which parties can identify the issues that matter most. This topic helps persons responsible for business associate contracting and implementation to understand the proper format and scope of a business associate agreement, address issues related to the obligations of subcontractors and agents, and develop streamlined forms and policies and procedures for operationalizing their business associate relationships.