By February 17, 2010, business associate contracts should be revised to reduce employers' potential liability under HIPAA. Although this alert is directed primarily to employers with self-insured health plans, employers with insured group health plans should also take note if protected health information is sent to third parties other than the insurance company.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) included provisions directly subjecting business associates (e.g., medical billing and information technology companies, third party administrators, accounting firms and other companies providing support services to health care providers or payers) to many of HIPAA’s privacy and security rules. Accordingly, your group health plan's business associate contracts may soon be outdated. Business associates are responsible for updating business associate contracts for compliance with the HITECH Act, but covered entities (e.g., group health plans) should also review their existing agreements to clarify or enhance indemnification rights, to obtain reasonable assurances that business associates have appropriate security measures in place and to clarify parties' responsibilities if the privacy breach notification requirements are triggered.

Further regulations and guidance under the HITECH Act are expected to be released in the coming months. In the meantime, if you receive an amendment to your business associate contracts, we can assist you in reviewing them to ensure that your rights are protected under these agreements. For more information on the HITECH Act, please view previous Calfee First Alerts on this topic: