Early last year, the Department of Health and Human Services issued final privacy and security  regulations (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Final Rule, effective March 26, 2013, imposes significant responsibilities on group health plans and  their business associates, which include subcontractors of such business associates. A “business  associate” is any party providing services to an employer or its health plan that receives, or may receive,  protected health information from the health plan. A health plan typically has multiple business  associates, which can include insurers, administrative service providers, consultants, and claim  administrators. 

The Final Rule requires a review of existing business associate relationships and, to the extent  necessary, revisions of the related business associate agreements to incorporate the Final Rule’s  compliance and disclosure provisions by September 22, 2014.

Sponsors of group health plans are encouraged to consult with their legal advisors to review all business  associate agreements as soon as possible to determine whether they require revision to ensure  compliance with the Final Rule.