The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.
The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”
The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
- Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
- Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.