The final HIPAA Privacy and Security Rule expands the definition of business associates to include subcontractors of existing business associates, and makes significant changes extending the direct liability for HIPAA compliance to business associates and their subcontractors. It also affirms that covered entities are liable for penalties for the failure of a business associate "agent" to perform a function on the covered entity's behalf. As a result, plan sponsors will need to review, and possibly revise, existing business associate agreements.

Employers should make sure that their Business Associate Agreements (BAA) include the following requirements for their business associates:

• Comply with requirements of the HIPAA Privacy Rule applicable to business associates
• Comply with the HIPAA Security Rule with regard to electronic PHI
• Report breaches of unsecured PHI to the covered entity
• Ensure that all subcontractors of the business associate agree to the same restrictions that apply to the business associate

If changes in existing BAAs are required to be made, and the covered entity and business associate had an agreement in place on January 25, 2013, the parties can rely on the existing agreement until the earlier of either the date such agreement is renewed or modified, or September 22, 2014.

If the parties did not have an agreement in place prior to January 25, 2013, an agreement complying with the requirements of the Final Rule must be in place by September 23, 2013.

A model Business Associate Agreement with the necessary modifications is posted on The McCart Group website for use with your business associates and subcontractors.

Your Account Team at The McCart Group will send you an updated BAA to comply with the new regulations specific to our business association with your organization.