Amend Business Associate Agreements



The Department of Health and Human Services (“HHS”) finalized rules related to HIPAA privacy and security. In general, these are changes required by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”). There are numerous changes in the rule that will require compliance activities on the part of certain employers. This activity focuses on obligations related to a group health plan’s agreements with its business associates. Our FAQs provide more information about the delicate relationship between employers and their self-insured health plans.

Employers Affected

The changes will affect any employer that uses a Business Associate (“BA”) to perform health plan related services that involve the handling1 of Protected Health Information. While this is most common in a self-insured arrangement, fully insured plans may also use business associates in certain circumstances2.

Employer Actions
Review existing Business Associate Agreements (“BAAs”).
Negotiate modifications to existing BAAs.
Ensure that newly contracted BAAs meet the requirements of the rule.

Timing Requirements

Covered entities and BAs must comply with the rule by September 23, 2013. New contracts with business associates entered into on or after January 25, 2013, should incorporate the requirements of the rule.

Employers and business associates (and business associate subcontractors) with contracts in effect on January 25, 2013, and which are not renewed or modified from March 26, 2013, through September 22, 2013, may continue to operate under those contracts until the earlier of:

Summary of HITECH Changes to the Privacy Rule Affecting the Content of BAAs4

Breaches: HITECH made BAs directly liable under the Privacy Rule for breaches of its BAA. It also makes BAs directly liable for certain HIPAA breaches. Specifically, a BA is directly liable under the HIPAA Rules for:

To that extent a BA may not use or disclose PHI in a manner that is contrary to the Privacy Rule, even if its BAA has not yet been amended.

BAs remain contractually liable for other requirements of their BAAs and civilly liable under HIPAA for such breaches. As a consequence, certain modifications to BAAs are required to ensure that BAs comply with HIPAA.

Subcontractors: If a BA uses a subcontractor to handle PHI, the subcontractor is considered a BA and directly subject to the Privacy Rule. Under the prior rule, a covered entity was not in compliance with the business associate requirements if the covered entity knew of a pattern of activity or practice of the BA that constituted a material breach or violation of the business associate’s obligation under its BAA, unless the covered entity took reasonable steps to cure the breach or end the violation, and if such steps were unsuccessful, terminated the BAA or, if termination was not feasible, reported the problem to the Secretary of HHS. The new final rule eliminates the report to the Secretary, buts adds a requirement reflecting the extension of the Privacy Rule to subcontractors of BAs.

Electronic PHI: HITECH requires BAs that handle electronic PHI to comply with the HIPAA Security Rule.

Unsecured PHI: HITECH imposes specific notice and other requirements if a covered entity suffers a breach of unsecured PHI.

Ancillary Provisions: Although not expressly required by HITECH, many covered entities will want to include provisions in their BAAs ancillary to HITECH’s requirements. These may include:

HHS has posted a model “bare-bones” BAA on its web site: Sample Business Associate Agreement Provisions (as of January 30, 2013).


[1] In the context of this article, the term “handle” means the activities of creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another BA.

[2] For example, a fully insured plan may use a business associate if it utilizes a third party to provide:

[3] Contracts that renew automatically prior to September 22, 2014, without change or any other action on the part of the parties do not have to be modified as of the renewal date but can take advantage of the extension to September 22, 2014.

[4] This article only discusses the changes that apply to health plans; it does not address changes that apply to health care providers.