By February 17, 2010, most group health plans are required to have updated business associate agreements. Since 2003, most group health plans have been required to have these special agreements with the service providers that have access to the plan’s protected health information, known as “business associates” of the group health plan. This requirement was established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
However, in 2009, significant changes were made to HIPAA through the Health Information Technology for Economic and Clinical Health Act (HITECH), which was a part of the American Recovery and Reinvestment Act of 2009. These changes increased the obligations of business associates and added certain new notice requirements. (Please see our Client Alert No 816 entitled “The American Recovery and Reinvestment Act of 2009 Creates Unprecedented Expansion of HIPAA Requirements” and our Client Alert No 929 entitled “HHS Issues New HIPAA Breach Notification Rules” for a more detailed summary of the changes). Accordingly, the underlying business associate agreements are required to reflect the changes required by HITECH by February 17, 2010.
In addition to changes to business associate agreements, group health plans will likely have to update their notice of privacy practices (which are distributed to covered employees) and review their privacy and security policies for compliance with the new requirements of HITECH.
Because most group health plans do not have their own employees, the employers sponsoring those plans are responsible for ensuring that these plans satisfy the HIPAA requirements.
It has been our experience that the form business associate agreements and privacy practice notices prepared by most health plan providers are not in full compliance with these new requirements. The enhanced enforcement provisions, including increased penalties, of HITECH make compliance with these new requirements even more important for employers.