Many people believe that compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is solely an issue for health care providers and their affiliates. However, nothing could be further from the truth. As described below, any employer that sponsors a self-insured group health plan for its employees will have substantial HIPAA compliance obligations and the failure to satisfy such obligations can have significant adverse consequences. Therefore, as part of the acquisition due diligence process, it is essential for potential purchasers to assess a target company’s level of HIPAA compliance.

HIPAA established rules to protect the privacy and security of individuals’ health information that is held by “covered entities.” In addition to health care providers, “covered entities” include employer health plans. Therefore, because “covered entities” include employer health plans, many businesses that have no connection to the health care industry must still be concerned about HIPAA compliance with respect to the health plans that they provide to their employees. If an employer health plan is fully insured, most of the HIPAA compliance burden will fall on the insurance carrier. However, even an employer with a fully insured health plan will still have HIPAA compliance obligations if it offers its employees a health care flexible spending account. In contrast, an employer with a self-insured health plan will have a much greater HIPAA compliance burden.

The Department of Health and Human Services (“HHS”) has issued HIPAA privacy, security and breach notification regulations, aimed at protecting the privacy and security of individually identifiable health information (the “HIPAA Rules”). The HIPAA Rules require all covered entities to take specific actions, including implementing policies and procedures that are reasonably designed to comply with the privacy standards, designating privacy and security officers, providing a notice of privacy practices, training workforce members regarding privacy and security protocols and performing a security “risk analysis” including the implementation of a risk management plan. In addition, HHS is authorized to conduct periodic audits to ensure that covered entities comply with the HIPAA Rules. HHS is currently in the second round of its HIPAA audit program. Failure to be in compliance with the HIPAA Rules can result in significant financial penalties.

Conducting a risk analysis should be one of the first steps in an organization’s efforts to comply with the HIPAA Rules. A security risk analysis involves an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”) held by a covered entity. Importantly, a thorough and accurate risk analysis is critical for determining whether a particular security measure is reasonable and appropriate to meet an organization’s HIPAA obligations. For example, the result of the risk analysis should directly guide the covered entity in designing appropriate personnel-screening processes, determining whether and how to use encryption, and identifying what data to backup and the appropriate procedure for doing so. In addition, security risk analysis should be conducted on an ongoing basis in order for a covered entity to comply with the requirement under the HIPAA Rules to review and modify, as needed, its security measures to continue providing reasonable and appropriate protection of EPHI. As technology is updated within an organization and workforce members who are responsible for HIPAA compliance leave an organization, it is important that risks be evaluated and that necessary changes to compliance programs be addressed.

HHS recently released an interactive security risk assessment (“SRA”) tool to assist small to medium-sized health care providers in complying with the security risk analysis requirement.1 The SRA tool is a software application that may be used to perform and document security risk analysis. Specifically, the SRA tool consists of 156 questions addressing each standard and implementation specification relating to the administrative, physical and technical safeguards required under the HIPAA Rules, including basic security practices, security failures, risk management and personnel issues. Each question is annotated with useful information for the user, including, for example, an explanation of possible threats and vulnerabilities, examples of best practices to address such threats and vulnerabilities, and a general explanation of the things to consider in answering the question. As such, the SRA tool provides the user with the opportunity to identify, on an ongoing basis, the current security measures and any areas of potential threats and vulnerability affecting EPHI, and to design a risk management plan that is appropriate and reasonable to address any deficiencies in the organization’s security measures for purposes of complying with the HIPAA Rules.

Although the SRA tool was not designed specifically for group health plans, it is comprehensive and will assist in identifying any gaps in compliance. However, the SRA tool will require substantial time and effort on the part of any covered entities that choose to use it. Yet, in the long run, the SRA tool may be a cost-effective resource that allows the user to avoid the cost of a third party vendor analysis.

Every company with a self-insured health plan or flexible spending account should have a robust HIPAA compliance program. Failure to do so can have significant adverse financial consequences. Therefore, as part of the acquisition due diligence process, all potential purchasers should be requiring a copy of the target company’s security risk analysis for its employee health plan together with a copy of the health plan’s risk management plan. In addition, purchasers should require disclosure of the health plan’s HIPAA policies and procedures and evidence that the target’s workforce has been properly trained with respect to HIPAA compliance. Likewise, the applicable acquisition documents should require the target to provide fulsome representations and warranties regarding its HIPAA compliance.