Employer Compliance Tip - HIPAA Breach Notifications and Processes

HIPAA Breach Notifications and Processes

There have been a couple of recent high profile cyberattacks and data breaches on health plan related companies, which means more employers are likely to receive a HIPAA breach notification. What is an employer’s obligation upon receiving notice from a plan vendor, business associate or subcontractor of such vendor or business associate that there has been a breach involving the employer’s employees’ PHI?

Under HIPAA, the health plan itself is a covered entity required to follow the HIPAA breach notification rules, but an employer is not required to duplicate the efforts of its vendor, business associate or subcontractor. Realistically, that means that most employers with fully insured plans will not have any additional obligations because the carrier itself is also a covered entity required to follow the breach notification rules. However, this is not always the case with respect to self-funded plans.

The breach notification rules require the covered entity to determine:

Whether there was unauthorized acquisition, access, use or disclosure of PHI;

Was the PHI that was accessed unsecure, i.e., not encrypted or otherwise unusable, unreadable, or indecipherable to unauthorized persons; and

Does the use or disclosure compromise the security or privacy of the PHI taking into account a) the nature and extent of the PHI involved; b) the unauthorized person who used the PHI or to whom the disclosure was made; c) whether the PHI was actually acquired or viewed; and d) the extent to which the risk to the PHI has been mitigated.

If there was a breach, then notice of the breach must be provided to affected individuals. In addition, notice must be provided to the media if more than 500 individuals’ PHI was involved. Also notice must be provided immediately to HHS if more than 500 individuals were involved or at the end of the year if less than 500 individuals were involved. States may also have their own breach notification requirements.

Many large vendors who experience a breach will send a communication to the employer describing what happened and what steps they have taken to mitigate the damage. They will either automatically notify or offer to notify the affected individuals, with or without an offer of identity theft protection, or in a lot of cases, will also offer to notify the required government agencies. As long as the employer is satisfied that the vendor’s response satisfies the breach notification rules, the employer is not required to take any additional steps, although they are free to communication information regarding the breach to their employees themselves if they so choose.

Benefit Comply’s HIPAA Compliance solution offers employers/group health plans assistance with HIPAA Privacy and Security Policies as well as with HIPAA training and procedures.

^{While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.}