The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 created amendments to the Health Insurance Portability and Accountability Act (HIPAA) primarily aimed at the electronic transfer and use of protected health information (PHI). HIPAA covered entities (insurers, providers of service and employer–sponsors of self-insured health plans) are required to have a business associate agreement (BAA) with any service provider that performs functions or provides services for the covered entity that involve access to PHI or use of PHI by the business associate.
Under the latest HITECH amendment to HIPAA, the BAA that a covered entity held with its business associates was to be updated by September 23, 2013 to provide that the business associate is subject to the same regulation and penalties from the Department of Health and Human Services (HHS) as the covered entity. However, temporary relief was granted until September 23, 2014 for plans to comply with the new BAA requirements that were in effect as of the relief date (January 25, 2013) and that were not modified prior to September 23, 2013.
This means that if temporary relief was granted to an employer that sponsors a self-insured health plan, including a health flexible spending arrangement (FSA) and/or health reimbursement arrangement (HRA), and has not already updated the BAAs they hold with their business associates they need to do so by the deadline of September 23, 2014.
Conversely, employers that sponsor a self-insured health plan and updated their BAAs to comply last September 23rd need not make any further changes to the existing BAA.