Is Your Health Plan Prepared for a Data Breach?

February 18, 2015

Since the Health Insurance Portability and Accountability Act (HIPAA) originally passed in 1996, group health plan sponsors have had to implement a number of federal and state laws and regulations designed to protect plan participants’ health information. At the same time, as more health information is stored and transmitted electronically, plan sponsors have had to adjust to increasing risks to that information due to data and security breaches. Because breaches can happen at any time—even with adequate safeguards in place—it is important that plans sponsors review and update their policies and procedures for handling all types of breaches, particularly if they involve individuals’ health information. This Employer Alert provides practice tips and a checklist of initial steps that plans sponsors should consider when dealing with a health plan-related data breach, with links to additional resources

Practice Tip: Companies should keep in mind that although HIPAA is the primary law protecting health information, other federal and state laws may overlap with HIPAA and protect other types of information such as Social Security numbers and financial information.

When Does HIPAA’s Breach Notification Rule Come Into Play?

HIPAA’s privacy and security provisions and their implementing regulations (known as the Privacy Rule and Security Rule) govern the protection, use, and disclosure of “protected health information” (PHI)._¹ For group health plans, PHI generally is any plan information that identifies an individual and relates to the past, present, or future physical or mental health or condition of the individual. Among other things, the Privacy Rule and Security Rule require group health plans to:

Establish policies and procedures to protect individuals’ PHI in paper and electronic form, based on plans’ specific risks, staffing, and administrative structures;
Limit unauthorized uses and disclosure of plan participants’ PHI;
Comply with rules that give plan participants certain rights to examine, obtain copies of, and correct their PHI.

More details on Privacy Rule and Security Rule requirements are available at HHS’s website on Health Information Privacy.

In addition, HIPAA requires group health plans to follow HIPAA’s breach notification rule in the event of a breach of unsecured PHI.² Generally, this will happen when:

The breach involves PHI;
The PHI is unencrypted or otherwise unsecured; and
There was an impermissible access, use, or disclosure of the unsecured PHI that compromises its security or privacy.

Other HIPAA “covered entities” such as health care providers, health insurers, and health care clearinghouses and third parties who handle PHI on covered entities’ behalf (known as “business associates) are also required to comply with the breach notification rule.^³ However, plan sponsors should keep in mind that the plan is legally responsible for complying with HIPAA’s breach notification rule when any breaches occur with respect to unsecured PHI that belongs to the plan.

Practice Tips: When has a breach occurred?

Although “breach” often brings to mind outside parties breaking into an information system or stealing individuals’ data, breaches can involve health plan data in a number of other ways. For example, a breach can occur when:

A health plan or its third-party administrator (TPA) sends a mailing containing PHI—such as biometric screening results or claims information—to the wrong address.
An employee with access to PHI—such as an HR team member—loses a laptop, tablet, or cell phone that contains unencrypted emails related to plan participant claims or appeals.
Someone steals a company computer, server, or other data storage device that contains unencrypted health plan records.

More information about when a breach has occurred is available at HHS’s website on HIPAA’s Breach Notification Rule.

What Should a Plan Do When It Suspects or Knows a Breach Has Occurred?

Each group health plan’s HIPAA policies and procedures will be tailored to its specific circumstances. However, here are some basic steps that plans should take when a breach occurs or may have occurred:

Notify privacy official and follow HIPAA policies and procedures. HIPAA requires that a group health plan have a privacy official^⁴ and maintain policies and procedures for breaches.^⁵ If an employeethinks that a breach may have occurred, he or she should notify the privacy official. The plan also should review the required steps outlined in its HIPAA policies and procedures.
Coordinate with third parties, if applicable. In many cases, a breach involving a group health plan participants’ PHI may involve one or more third parties such as TPAs, health insurers, wellness program providers, or web site administrators. The plan should communicate and work with these third parties to determine which parties are responsible for (1) the breach, (2) notifying affected individuals, the media, or HHS, as required by HIPAA, and (3) how to mitigate or remedy the breach.
Note: If third parties handle PHI on the plan’s behalf, they are the plan’s “business associates” and are also required to comply with HIPAA’s breach notification requirements if they are the source of the breach.^⁶
Coordinate with IT department, if applicable. In many cases, a breach or the plan’s response afterward will involve the company’s information technology department. The plan should communicate and work with IT to (1) determine which parties are responsible for the breach, (2) the extent of the breach, and (3) how to best mitigate or remedy the breach.
If a breach occurred, provide notifications as required by HIPAA.
- Notify affected individuals. If a breach occurs, HIPAA requires that the plan notify affected individuals within 60 days after discovery of the breach.^⁷
- Notify by web site posting or the media, if applicable. If a breach occurs and the plan has insufficient or out-of-date contact information for 10 or more affected individuals, HIPAA requires that the plan notify affected individuals by posting notice on a company web site home page for at least 90 days or by providing notice in major print or broadcast media where the affected individuals likely reside.^⁸ Also, if a breach affects more than 500 residents of a state or jurisdiction, the plan must provide notice to prominent media outlets serving the state or jurisdiction.^⁹
- Notify HHS. If a breach occurs, HIPAA requires that the plan notify HHS. If a breach affects 500 or more individuals, the plan must notify HHS within 60 days of the breach. If the breach affects fewer than 500 individuals, the plan can notify HHS on an annual basis no later than 60 days after the end of the calendar year.^¹⁰
If a breach occurred, develop a plan to mitigate harm. If a breach occurs, HIPAA requires that the plan mitigate resulting harm to affected individuals, to the extent practicable.^¹¹ Mitigation can involve a variety of measures such as updating policies and procedures for handling PHI, providing credit monitoring services, or taking measures to limit further distribution of PHI.
If a breach occurred, consider developing a broader communications strategy. While HIPAA requires health plans to notify affected individuals when a breach occurs, plan sponsors should also consider whether additional communication strategies might be appropriate, depending on the size and nature of the breach. In the case of a large, highly-publicized breach, it may be desirable to involve the company’s senior leadership or external communications team. A clear, unified communications strategy can be helpful in answering internal and external questions and minimizing litigation risks.

HIPAA regulations provide detailed guidance on the content, timing, and delivery of breach notifications.^¹² If a breach occurs, we recommend that plans consult with the above-mentioned parties and counsel to ensure compliance.

Practice Tips: Breach Notification and Third Parties (Business Associates)

We recommend that plans review their business associate agreements to verify:

That business associates have policies and procedures in place to detect breaches and notify the plan if a breach involving plan participants’ PHI occurs;
Which party is responsible for HIPAA-required notifications if a breach involving plan participants’ PHI occurs; and
Which party bears the costs of HIPAA-required notifications, mitigation of harm, additional compliance measures, and applicable penalties and legal liabilities if a breach involving plan participants’ PHI occurs.

Other Laws May Apply

Although HIPAA is the primary law protecting health information, plan sponsors should keep in mind that other federal or state laws may apply if a data breach occurs. For example:

47 states, the District of Columbia, and 3 U.S. territories have security breach notification laws that require notice to affected individuals or state agencies when certain data breaches occur. These laws protect a variety of types of data such as Social Security numbers, health information, or financial information.
The Gramm-Leach-Bliley Act applies to financial institutions and protects certain personal financial information.
The Federal Trade Commission (FTC) enforces the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.
The Federal Trade Commission Act is a general consumer protection law and authorizes the FTC to bring privacy enforcement actions for deceptive or unfair practices.
The Family Educational Rights and Privacy Act protects the privacy of student education records.

We recommend that plan sponsors work with their counsel to determine if these or other laws apply when a breach occurs.