Early last year, the Department of Health and Human Services issued final privacy and security regulations (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule, effective March 26, 2013, imposes significant responsibilities on group health plans and their business associates, which include subcontractors of such business associates. A “business associate” is any party providing services to an employer or its health plan that receives, or may receive, protected health information from the health plan. A health plan typically has multiple business associates, which can include insurers, administrative service providers, consultants, and claim administrators.
The Final Rule requires a review of existing business associate relationships and, to the extent necessary, revisions of the related business associate agreements to incorporate the Final Rule’s compliance and disclosure provisions by September 22, 2014.
Sponsors of group health plans are encouraged to consult with their legal advisors to review all business associate agreements as soon as possible to determine whether they require revision to ensure compliance with the Final Rule.