Skip to main content
A Better Partnership


Mar 2013
March 07, 2013

New HIPAA Rules for Business Associate Agreements

New HIPAA privacy regulations have been released, so if you are negotiating business associate agreements, you should update the agreements before you finalize them.

The Office of Civil Rights (OCR)  has published long-awaited updates to the HIPAA Privacy, Security and Breach Notification Rules, as required under the HITECH Act. The updated rules generally go into effect on Sept. 23, 2013. But OCR has provided additional time to bring business associate agreements into compliance—provided that you entered into the agreement before Jan. 25, 2013. Such agreements are grandfathered until Sept. 22, 2014 or the date the contract is renewed or modified, whichever occurs first. But any new agreement entered into on or after Sept. 25, 2013 will not be grandfathered and must be updated by the Sept. 23, 2013 compliance deadline. If you are currently negotiating a business associate agreement, you’ll be well advised to update it now so that you do not have to revisit it in September.

The new rules expand the definition of a business associate, extend HIPAA liability directly to business associates and their subcontractors, and include new restrictions on the marketing and sale of protected health information. You’ll want to review your business associate agreements to ensure that they address these issues. You’ll also want to make sure your agreements address the new breach notification rule that requires a risk assessment to determine whether the confidentiality of protected health information has been compromised (instead of the old “likelihood of harm” standard).

The attorneys at Warner Norcross & Judd are available to help you update your business associate agreements. Please contact Norbert Kugele ( or 616.752.2186) or Nate Steed ( or 616.752.2723) for assistance.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -