The deadline for updating your health plan’s existing business associate agreements is rapidly approaching.
The final regulations issued on January 25, 2013 under the Health Insurance Portability and Accountability Act (“HIPAA”) required that all business associate agreements (“BAAs”) between a covered entity, such as an employer’s health plan, and a business associate engaged to help that covered entity carry out its health care activities and functions, be updated by September 23, 2013, to reflect the applicable requirements of the final rule. (Business associates include vendors and other third parties who receive or maintain “protected health information” on behalf of an employer’s health plan, such as third party administrators and claims administrators.)
However, the regulations provided for a “limited deemed compliance period” for BAAs that were in effect prior to January 25, 2013, with such existing BAAs deemed to be in compliance with the final rules until September 22, 2014 (or, if earlier, the date renewed or modified). Those existing BAAs then must be updated to reflect the applicable requirements of the final regulations by the end of the deemed compliance period.
Accordingly, prior to September 22, 2014, sponsors of health plans that are subject to the HIPAA privacy rules should reconfirm that all required BAAs are in place and updated if the they have not already been brought into compliance with the final regulations.