Is It Time to Update Your BAA?

Article provided by Janet Palcko of NEO Administration Company. BASIC is a majority partner of NEO Administration Company and together deliver integrated HR solutions to clients nationwide.

Earlier this year, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). These modifications will require covered entities (e.g., health plans and health care providers)  to review and update their existing Business Associate Agreement (BAA) to ensure compliance with the new HIPAA Omnibus Rule.


A group health plan sponsored by an employer is a “covered entity”.  Covered entities  are obligated under HIPAA to have Business Associate Agreements (“BAAs”) in place with any vendor or service provider (e.g., third-party administrators, claim processors, etc.) who uses or discloses protected health information (“PHI”) in carrying out their obligations to the covered entity. Thus, an employer who sponsors a Health FSA or Health Reimbursement Arrangement must have a BAA executed with the third party administrator who manages the claims and reimbursements for that plan.

BAA Updates

The new requirements are not a significantly different  from the old BAA content requirements. But these changes are highlighted:

  • The definition of “business associate” was expanded to include not only businesses that contract directly with covered entities, but also those that act as subcontractors to business associates and perform services on behalf of the business associate involving health information.
  • The BAA must state the business associate must comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of the covered entity’s obligations under the Privacy Rule (e.g., the provision of Notices of Privacy Practices)
  • Adding a provision stating that the business associate is directly subject to the Security Rule.


Timeline for Compliance with New BAA language

The HIPAA Omnibus Rule became effective on March 26, 2013, but the new BAA requirements are generally not effective until September 23, 2013. All covered entities and their business associates must comply with the substance of these new rules as of September 23, 2013. But the deadline for updating their BAA can vary:

1)     Parties that do not currently have a BAA in place have until September 23,  2013 to execute one that is compliant with the new rules.

2)     Parties that already had a BAA in place on January 25, 2013 that complied with the pre-HIPAA Omnibus Rule BAA requirements have additional time to update their BAAs.  They can wait until the earlier of the following to update their existing BAAs:

    • The date the BAA is renewed or modified on or after September 23, 2013 or
    • September 22, 2014.
About the Author

Janet Palcko is a partner at NEO Administration Company, a benefits consulting firm that provides FSA, HRA, HSA and COBRA administration and compliance services to area employers. As managing partner, she is responsible for all aspects of NEO’s business, from fiscal planning to practice development, compliance, and client services. Ms. Palcko is a member of the National Association of Professional Benefit Administrators (NAPBA) and the Employer’s Council on Flexible Compensation (ECFC)in Washington DC and is one of one of a select number of practitioners in the U.S. who have earned the designation of Certified in Flexible Compensation (CFC) from ECFC’s Academy of Professional Standards & Ethics. The CFC designation is the highest professional certification available for practitioners in flexible compensation. Janet is also certified in FSA, HRA, HSA and COBRA administration.