HIPAA privacy rules apply to group health plans, not to employers, per se.

Therefore, it would seem to make sense that an employer should enter into the terms of a business associate agreement only in its capacity as plan administrator of its group health plan.

Any comments appreciated.

Agree completely.

The SPDs for my company's self-funded plans specifically name the company as the plan administrator and plan sponsor (as opposed to claim administrator). As such, we sent BAA to all of our TPAs, UM vendors, consultants, auditors, etc. However, we did not do anything relative to our fully insured plans.

As a somewhat interesting sidenote, we also administer claims in-house for some of our employees and have received BAAs from local providers as well. We sent them letters informing them that a BAA was not required between a payor and provider. Clearly, there is still misunderstanding as to which entities constitute a BA under the regs.