Cyberattacks have managed to invade all walks of life, and employee benefit plans are no exception. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies – and their exclusions – is important for sponsors who are exploring such coverage.
HIPAA Privacy and Security
The Federal Bureau of Investigation has cautioned organizations, regardless of industry, that cyber-attacks continue to increase and evolve. Cyber-attacks often target digital files containing sensitive and proprietary data. Thus, the operational, financial and reputational impact caused by cyber-attacks to an organization, either directly or through its service providers, can be significant.
To illustrate the widespread acknowledgement across industries of the importance of cybersecurity, this article describes: 1) best practices identified by the Securities and Exchange Commission Office of Compliance Inspections and Examinations for designing cybersecurity programs, and 2) guidance issued by the Department of Health and Human Services Office for Civil Rights under the Health Insurance Portability and Accountability Act for responding to cyber-attacks.
On March 21, 2016, the HHS Office for Civil Rights (OCR) announced that it has begun “Phase 2” of audits of covered entities and their business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). Phase 1 was limited to a pilot program designed to develop a standard set of audit protocols.
After more than ten years, HIPAA is still a hot topic. Here is a rundown of recent developments.
The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.”
Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The HIPAA Electronic Transactions and Code Sets rule requires most group health plans to obtain new health plan identifier numbers (HPIDs) by November 5, 2014. While insurers will likely obtain the HPID on behalf of fully insured plans, the task of obtaining the HPID for a self-funded plan will fall upon the plan sponsor. While the process is relatively simple, plan sponsors should begin identifying which group health plan arrangements are subject to the HPID requirement and communicating with plan vendors regarding the requirements.
The Department of Health and Human Services has issued final regulations on the HIPAA privacy and security rules (the “HIPAA Rules”) for health plan sponsors and their business associates. The regulations make several changes to the HIPAA Rules, including a significant change in the standards requiring a “breach notification,” additional content for the notice of privacy practices, and incorporation of the “direct liability” rules for business associates. The general effective date of the final regulations is March 26, 2013 and compliance with most of the changes will be required by September 23, 2013. Plan sponsors (and business associates) will need to review, and potentially revise, their policies and procedures, privacy notices, and business associate agreements in light of the final regulations.
After years of somewhat lenient enforcement of the HIPAA Privacy and Security Rules, the Department of Health and Human Services (“HHS”) appears to be ramping up its enforcement efforts. A recently announced settlement between a medical provider and HHS is the latest in a string of recent civil penalties and settlements involving alleged HIPAA Privacy Rule and/or Security Rule violations. Although the penalties referenced in this Alert have thus far been assessed against health care providers, they might just as easily be assessed against health care plans that commit the same types of HIPAA violations. For that reason, health plan sponsors should take note and review their existing policies and procedures.
As explained in our March 2009 and September 2009 articles, employer health plans and other “covered entities” are required to notify affected individuals and the Department of Health and Human Services (“HHS”) when they breach certain of the privacy requirements imposed by the Health Insurance Portability and Accountability Act (“HIPAA”). HHS has now posted on its website an online form by which such breaches may be reported to HHS.