HIPAA “Grandfathered” BAAs: Are Your Old Business Associate Agreements Still Compliant? (45 CFR § 164.532(e))

The HIPAA Omnibus Rule of 2013 introduced new requirements for Business Associate Agreements (BAAs), but it also offered a temporary reprieve: certain older contracts were “grandfathered” in under § 164.532(e). Many small healthcare practices still rely on these legacy agreements, often without realizing they may now be out of compliance. This guide explains what qualifies as a grandfathered BAA, when it loses that status, and how to assess whether your agreements still meet current HIPAA requirements.

Business Associate Agreements are a cornerstone of HIPAA compliance. They define how external partners handle Protected Health Information (PHI) and must contain specific elements under the Privacy and Security Rules.

When the HIPAA Omnibus Rule came into effect in March 2013, it updated the required content for BAAs. However, a transitional grace period was allowed for agreements already in place before January 25, 2013. These were termed “grandfathered” BAAs under § 164.532(e).

Now, more than a decade later, many small practices still assume their older BAAs are valid, but unless those contracts were updated by September 22, 2014, they may no longer offer legal protection.

What Is a

Definition Under § 164.532(e)

A BAA qualifies for grandfathering if:

• It was in place before January 25, 2013

• It was not modified or renewed between March 26, 2013, and September 23, 2013

• It remained unchanged until September 23, 2014

After that date, all BAAs must comply with the updated Omnibus Rule requirements, regardless of their original execution date.

What changed in the 2013 HIPAA Omnibus Rule?

New required provisions for BAAs included:

• The Business Associate must comply with the Security Rule

• The BA must report breaches of unsecured PHI

• The BA is subject to direct enforcement by HHS

Subcontractors of BAs must also enter into compliant downstream BAAs.

In 2011, a small dermatology clinic entered into a contract with a third-party billing service to streamline insurance claims and revenue cycle management. At the time, they executed a Business Associate Agreement (BAA) that was considered compliant with HIPAA as it stood then. However, when the HIPAA Omnibus Rule took effect in 2013, which introduced sweeping updates to BAA requirements, the clinic never revisited or updated its agreement.

Fast-forward to 2023. The billing company experienced a ransomware attack that compromised thousands of patient records, including names, diagnoses, treatment dates, and insurance information. The breach triggered an investigation by the Office for Civil Rights (OCR), which revealed a cascade of compliance failures.

Findings from the OCR Investigation:

• The BAA was outdated and non-compliant. It lacked required elements mandated by the 2013 HIPAA Omnibus Rule, including clear provisions for breach notification and data protection responsibilities.

• No breach notification clause existed. As a result, the billing company delayed informing the clinic and affected patients, prolonging the risk window.

• Downstream vendor risks were ignored. The billing vendor had subcontracted certain services to a data entry firm overseas. This subcontractor had direct access to PHI but operated without any formal BAA in place, creating a major security and compliance vulnerability.

Outcome:

OCR concluded that the dermatology clinic failed to exercise appropriate oversight of its business associate relationships, as required under HIPAA. Despite not causing the breach directly, the clinic was held liable for inadequate risk management.

The consequences were substantial:

• An $85,000 monetary settlement

• Mandatory revision of all BAAs to meet Omnibus Rule standards

• Implementation of a vendor management program

• A two-year monitoring agreement with OCR, including regular audits and reporting

Takeaway:

This case underscores a vital truth: outdated Business Associate Agreements are not harmless relics, they are legal liabilities. HIPAA does not require OCR to prove intent or negligence to enforce fines. Simply failing to update agreements as required can lead to devastating outcomes for a small practice.

If you haven’t reviewed your BAAs since 2013, now is the time. A single document could be the difference between operational security and public exposure.

When Does a Grandfathered BAA Lose Protection?

As of September 23, 2014, all BAAs must meet current HIPAA requirements, regardless of whether they were previously grandfathered.

Ask the following:

1. Was it signed before January 25, 2013?

2. Was it not modified or renewed between March and September 2013?

3. Has it been updated to reflect Security Rule and breach notification duties?

4. Do subcontractors have valid downstream BAAs?

If you answer “no” or “not sure” to any, your agreement is likely out of date and noncompliant.

Can I keep using a 2012 BAA if it hasn’t been changed?

No. As of September 23, 2014, even grandfathered BAAs must meet the current HIPAA standards.

Do automatic renewals count as "modifications"?

Yes. An automatic renewal typically triggers a re-evaluation, which ends grandfathered status.

Do I need a new BAA if the business associate changes ownership?

Yes. A change in ownership or entity status requires a new agreement or amendment.

What happens if I don’t have any BAAs?

You’re out of compliance and at risk of enforcement action. You must execute BAAs with all vendors that access PHI.

• 45 CFR § 164.532(e): Transition Provisions for BAAs

• Omnibus Rule Summary – HHS.gov

• Sample BAA Templates – HHS
  

• OCR: HIPAA Enforcement Highlights