• Policies

    Participants

    Vendors

    Authorize Vendors

    An important HIPAA requirement is to set up Business Associate Agreements (BAA) with vendors who will have access to a plan’s Protected Health Information (PHI). The BAA basically ensures that the vendor handle PHI in a manner consistent with the requirements of the HIPAA Privacy and Security Rules, as well as with your privacy and security policies. 

    Note that the carriers of your organization’s fully-insured group plans are NOT considered a Business Associates. Therefore, no BAA is needed for them. However, any third party administrator (or other vendor) helping administer your health FSA will need to sign your organization’s BAA.