Cyberattacks have managed to invade all walks of life, and employee benefit plans are no exception. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies – and their exclusions – is important for sponsors who are exploring such coverage.
HIPAA Privacy and Security
The Federal Bureau of Investigation has cautioned organizations, regardless of industry, that cyber-attacks continue to increase and evolve. Cyber-attacks often target digital files containing sensitive and proprietary data. Thus, the operational, financial and reputational impact caused by cyber-attacks to an organization, either directly or through its service providers, can be significant.
To illustrate the widespread acknowledgement across industries of the importance of cybersecurity, this article describes: 1) best practices identified by the Securities and Exchange Commission Office of Compliance Inspections and Examinations for designing cybersecurity programs, and 2) guidance issued by the Department of Health and Human Services Office for Civil Rights under the Health Insurance Portability and Accountability Act for responding to cyber-attacks.
On March 21, 2016, the HHS Office for Civil Rights (OCR) announced that it has begun “Phase 2” of audits of covered entities and their business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). Phase 1 was limited to a pilot program designed to develop a standard set of audit protocols.
After more than ten years, HIPAA is still a hot topic. Here is a rundown of recent developments.
The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.”
Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The HIPAA Electronic Transactions and Code Sets rule requires most group health plans to obtain new health plan identifier numbers (HPIDs) by November 5, 2014. While insurers will likely obtain the HPID on behalf of fully insured plans, the task of obtaining the HPID for a self-funded plan will fall upon the plan sponsor. While the process is relatively simple, plan sponsors should begin identifying which group health plan arrangements are subject to the HPID requirement and communicating with plan vendors regarding the requirements.