The keys for plan sponsors to avoid penalties under the Health Insurance Portability and Accountability Act (HIPAA), as well as other liability that may come with data breaches, were discussed by HIPAA experts in a recent webinar.
Periodic risk assessments, updated policies and procedures, and ongoing training are critical to HIPAA compliance, said Kathryn Bakich, senior vice president at Segal Consulting. The urgency of these has been driven home by the recent rise in big-ticket HIPAA settlements obtained by the U.S. Department of Health and Human Services (HHS).
The HHS enforcement actions that result in publicized monetary settlements “almost always reflect some kind of cutting-edge problem,” said Bakich, head of Segal’s national health compliance practice and co-author of BLR’s Employer’s Guide to HIPAA Privacy Requirements. The corrective action plans that accompany these “resolution agreements” are a particularly helpful source of instruction on how to meet HIPAA requirements, she added.
Nearly 2,000 major breaches of protected health information (PHI) now have been reported to HHS’ Office for Civil Rights (OCR), along with nearly 300,000 smaller breaches, and the volume of HIPAA complaints keeps rising from year to year, observed Nicholas Heesters, a health information privacy and security specialist with the OCR. “Individuals seem to be more cognizant of some of their rights, as well as security issues.”
The OCR still sees insufficiency in the scope of risk assessments, Heesters said; they should cover everywhere PHI is located and all of its vulnerabilities. “We see this over and over again,” he said, where certain applications and devices are left out, or certain facilities.
Bakich recommends conducting a risk assessment “every 2 to 3 years, and whenever new technology is adopted or changed”—for example, a new HR system or wellness program is introduced or a new type of mobile device issued. Technology that should be addressed in a security assessment also includes wearables, robotics, and cloud computing, which recently was the subject of some “really helpful” guidance from the OCR, she said.
Retirement plans are getting more interested in data security as well, Bakich noted, and it’s a good idea to perform the same sort of security assessments for them even though they’re not covered by HIPAA. A good resource for all benefit plans, she added, is the ERISA Advisory Council, which issued reports on privacy and security issues for benefit plans in 2011, and cybersecurity considerations in 2016.
Plan sponsors sometimes think risk assessments performed for other purposes satisfy HIPAA but “that’s not always the case,” although it may be possible to incorporate these other assessments rather than having to duplicate them, according to Samuel Choy, an attorney with King & Spalding.
Bakich cited the following common “red flags” for possible HIPAA security violations:
- Inadequate encryption policies and procedures;
- Poor access control and activity review;
- Poor policies and controls for mobile devices and laptops;
- A lack of IT governance, such as standards, inventory control, and basic steps like patching;
- Inadequate disaster recovery procedures;
- Insufficient IT policies and procedures;
- A lack of advanced monitoring techniques such as intrusion detection/prevention, log correlation, and data loss prevention; and
- Not having designated a security officer.
Privacy and Plan Administration
How HIPAA privacy and security apply to group health plans depends on how deeply the employer is involved in plan administration. Fully insured plans may be largely exempt from HIPAA privacy, but a self-insured plan may not transfer its privacy obligations entirely to a third party, Choy noted. Even if a third-party administrator (TPA) performs most of a group health plan’s functions, the plan fiduciary needs some access to PHI in order to monitor the TPA.
Nonhealth benefits such as workers’ compensation and disability coverage are not covered by HIPAA, but if the employer has a “wrap” plan that includes these with the health benefits, the entire plan must comply with HIPAA unless it is designated a hybrid entity, Choy said. One common problem is that a plan adopts HIPAA procedures only for the covered component without making the hybrid election, he noted.
“A common reason for HIPAA violations is a lack of training,” Choy said. HIPAA generally requires covered entities to train all workforce members who might access PHI. When identifying employees for training, don’t forget information technology and finance staff, as well as employees who are internally transferred to positions involving PHI access. “This group tends to fall through more times than not,” he said.
Both Bakich and Choy highlighted the need for up-to-date, compliant business associate agreements (BAAs) with TPAs, claims administrators, and other outside entities that handle PHI on the plan’s behalf. Employers often assume that the BAAs their vendors provide are compliant, but that’s not always the case, Choy noted.
A BAA should clearly assign responsibility for meeting HIPAA’s individual rights, such as a participant’s right to inspect and obtain his or her own PHI, Choy said. Plan sponsors aren’t always sure who’s responsible for complying, and an employer may obtain PHI mistakenly to meet such a request and expose itself to additional risk.
It is often asked whether a BAA is needed with a photocopier company, if the copier machines are used by HR employees with access to PHI. If it is a modern copier that stores images, and copier repair personnel may need to take it offsite, then a BAA would be required, Heesters said. If the copier is a small home inkjet with no storage capacity, then maybe not.
Minimizing HIPAA Privacy Liability
Choy suggested the following steps to minimizing HIPAA privacy exposure:
- Assign “ownership” for compliance;
- Delegate HIPAA-covered activities to a TPA;
- Limit employer access to PHI, receiving only deidentified information if possible;
- If PHI must be obtained, delete it after use rather than storing it;
- Limit the workforce members who have access to PHI;
- Understand participants’ HIPAA rights;
- Provide ongoing training;
- Implement and monitor the document retention required by HIPAA;
- Perform regular risk assessments; and
- Understand how HIPAA duties are shared with vendors.
Bakich, Choy, and Heesters spoke June 22 in a webinar presented by the American Bar Association’s Joint Committee on Employee Benefits.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic