Bradley launched a multi-part blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Portability and Accountability Act of 1996 Security Rule ( HIPAA), starting last week with a preview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the original publication of the HIPAA Security Rule in 2003 and its last revision in 2013. In this weekly series, we will continue to explore key changes and their implications and provide ideas and takeaways for covered entities and their business associates under HIPAA.
What’s new for BAS and BAAS?
This week’s installment addresses proposed changes specifically affecting Business Associates (BAS) and Business Associate Agreements (BAAS) and responsibilities for covered entities related to Business Associates who serve as HIPAA Security Officers.
Baas revisions
The NPRM requires regulated entities to include within their BAAS the following new provisions:
- Notification to the covered entity (and downstream business associate) within 24 hours of activation of its emergency plan;
- Written verification that the BA (and the BA downstream of the Business Associate) have deployed technical safeguards as required by HIPAA; And
- Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity experts and certified by a person of authority at the BA.
Additionally, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or potential BA based on this written verification.
Revisions will require updates to both current BAAS and any new BAAS entered after publication of the final rule. Similar to the implementation of the HITECH rules in 2013, these required revisions will have a ramp on the ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM indicate that BAAs will be found to be compliant if the following circumstances exist: (1) if the BAA contains the required provisions applicable at the time the final rule is published and (2) the BAA is not renewed or amended within 60 to 240 days of publication of the final rule. However, all BAAS must be compliant within one year plus 60 days after publication of the final rule.
These revisions can create a significant administrative burden for regulated entities large and small. In preparation for issuance of final rules, regulated entities should review their current BAAS to confirm that these agreements are up to date with the current requirements in effect at the time of execution to take advantage of the compliance ramp. Even under current law, regulated entities may also benefit from updating their vendor management programs to require written verification of technical safeguards based on the level of risk associated with their associate’s management of supplier businesses. PHI.
Covered Entity Delegation of Security Officers
The NPRM also confirms the ability of a covered entity to appoint a business associate as a security officer. Importantly, HHS clarifies its view that the covered entity remains responsible for ultimate compliance with the Security Rule even if the service is contracted to an associate.
The HHS Office for Civil Rights (OCR) will accept comments until March 7, 2025.
In our next articles in this series, we will dive into the HIPAA Security Rule changes affecting group health plans and current thinking related to AI technologies.
Please visit HIPAA NPRM Security Rule and the HHS Fact Sheet for additional resources.