United States: Group Health Plans - HIPAA Business Associate Agreements

Final regulations issued by the Department of Health and Human Services in 2013 included changes to the HIPAA privacy, security and breach notification rules. Among others, the final regulations included the following changes:

• Expanded the definition of "business associate" to include any entity that creates, receives, maintains or transmits protected health information ("PHI"); and
• Made business associates directly subject to designated portions of the rules.

Documentary compliance with the final regulations was generally required by September 23, 2013, including new or updated business associate agreements ("BAAs"). A special transition rule applies to BAAs that were in place as of January 25, 2013 and not modified between March 25, 2013 and September 23, 2013. BAAs qualifying for transition rule are deemed compliant with the final regulations until the earlier of (i) the date the BAA is renewed or modified, and (ii) September 22, 2014.

Now is the time for employers to review each of their group health plans to identify business associates, determine whether up-to-date BAAs are in place, and take steps to establish new or modified BAAs as needed by September 22, 2014.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.