dead-36971_640Make HIPAA Deadlines for Compliance Happen

While there are various deadlines included in the 562-page HIPAA Omnibus Final Rule released in January, there are some HIPAA deadlines you should set for yourself so you are ready.

HIPAA Deadlines for Covered Entities

If you are a health care HIPAA Covered Entity, you need to be sure that all of yourBusiness Associates, and all of their subcontractors that may come in contact with Protected Health Information (PHI,)commit to achieving full compliance by the September 23, 2013 HIPAA deadline. Even though Business Associates are now directly responsible for HIPAA violations, you are still responsible for your Business Associates, and you risk large penalties if they don’t comply.

While you are busy having your Notice of Privacy Practices and your Business Associate Agreements updated, you need to start asking questions now of your vendors that touch PHI. If your Business Associates don’t plan on complying with HIPAA, you need to replace them with those that will, before the September HIPAA deadline.

HIPAA Deadlines for Business Associates

If you are a Business Associate, you should realize that health care clients are asking now if you will comply by September. Unless you let them know that you are planning to sign Business Associate Agreements and implement compliance by the September HIPAA deadline, you may lose business.

Some IT companies are waiting for their attorneys to advise them on whether they must comply with HIPAA. Waiting too long for your lawyers to advise you or create your documents may risk critical business relationships. The Final Rule seems pretty clear that if you store PHI, even if you don’t look at it, you must comply. There are no exemptions for encrypted data or servers in locked cabinets. This makes sense considering the federal government does not have the resources (or the desire) to inspect every file in every data center to see if it is encrypted, and determine who has the encryption keys.

Your compliance is required by your ACTs, not your contrACTs. If you store any PHI—even one record— in any form – written, voice, or image—you are now defined as a Business Associate. PHI does not have to be in an EMR system. You have until September to implement compliance, but your clients need to know NOW what you plan to do so they can plan their vendor strategy.


HIPAA requires Covered Entities to ensure compliance by their Business Associates, and the Business Associates must ensure compliance with any subcontractors they use. It gets complicated when IT companies rent space in data centers, resell hosted Microsoft Exchange and Cloud storage, and offer hosted VOIP phone systems that convert phone messages (which may include protected information) to e-mails. They purchase these services from vendors who in turn may be utilizing other vendors, and so on. Until now you did not have to care.

HIPAA Deadline Questions Covered Entities Should Ask their Business Associates

1. Are you aware that the services you provide mean that you are a HIPAA Business Associate?

2. Are you willing to sign an updated Business Associate Agreement that includes the new provisions of the HIPAA Omnibus Final Rule?

3. Will you have a full compliance program in place by the September 23, 2013 deadline? How will you accomplish this?

4. Are you willing to divulge to us the names and roles of all of your subcontractors, and their subcontractors, who see or maintain our protected data, by (your deadline) ?

5. We will require evidence that you and all of the subcontractors are implementing compliance prior to the September deadline, or we will be forced to find a vendor who will comply. When will you be able to provide evidence you are working towards compliance in the following areas:

a. Written Policies

b. Documented HIPAA-compliant procedures

c. Workforce training

d. HIPAA-compliant workflows

e. Documentation of your work to provide evidence of compliance for an audit or data breach investigation

6. We may require an independent audit, at your expense, of your compliance as a requirement for you to continue as our vendor. Will you agree to this?

Get the answers clearly and in writing.

If the answer is No to any of these questions you don’t have many choices. First, escalate your concerns to the vendor’s executives to be sure they know they risk losing your business. Let them know that they ARE Business Associates, and you and the federal government hold them responsible even if they do not want to comply. Start interviewing their competitors and select one that will comply if you are worried about your current Business Associates meeting the HIPAA deadlines.

All of this takes time. It may seem like September 23 is a long way off, but you need to get answers now and make your vendor decisions quickly.  If you don’t have everything in place before summer begins, it will be hard to comply by September.

"originally written for 4MedApproved"