The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires organizations and individuals that handle protected health information take certain measures to protect the information from improper disclosures. HIPAA applies to employer-based health plans and the service providers that work with them. The two key pieces that employers need to comply with HIPAA are a Business Associate Agreement (BAA)—governing the relationship between the health plan and its service providers, and a Notice of Privacy Practices (NPP)—which describes to employees how their personal health information will be protected. Some employers may also need to establish written policies and procedures for handling health information, as well as appointing a “security officer.” We have contracted with our attorney to provide the BAA and NPP at no charge to our clients. HIPAA policies and procedures are available upon request at a discounted flat fee rate.