A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses a specific type of data security breach – those that involve health information about an organization’s employees.
Employers that operate a self-insured health insurance program may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the event of a breach. Although HIPAA is a federal law, it does not preempt state laws that provide even greater protection of patient information, so state laws may still need to be examined in the event of a breach involving protected health information (PHI).
PHI is defined as any individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is related or received by a covered entity or any employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual.
Entities that are directly covered under HIPAA include healthcare providers (e.g., doctors or hospitals) that conduct certain transactions in electronic form, health plans (e.g., health insurance companies), and healthcare clearinghouses (e.g., third-party organizations that host, handle, or process medical information). It also includes self-funded health insurance plans. HIPAA also creates obligations for “business associates.” A business associate is any person or organization, other than a member of a covered entity’s workforce that performs services or activities for, or on behalf of, a covered entity if such services or activities involve the use or disclosure of PHI. For example, business associates can include third-party claims administrators, billing agents, consultants, attorneys, or accountants who provide services for a covered entity that involves access to PHI, or a medical record transcriptionist. HIPAA requires that the covered entity contractually require the business associate to comply with the privacy and security rules under HIPAA.
The HIPAA Breach Notification Rule requires covered entities to provide notification of a breach involving PHI to affected individuals, the Secretary of the United States Department of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. The timing of the notification to the Secretary depends on the number of persons affected by the breach. If the breach involves 500 or more persons, then the Secretary must be notified without unreasonable delay. For fewer than 500 persons, notification may be made on an annual basis.
Covered entities are also required to have in place written policies and procedures regarding breach notification, to train employees on these policies and procedures, and to develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
TIP: Many employers think “HIPAA” only applies to doctors, hospitals, and insurance companies. If you maintain a self-funded insurance plan remember that HIPAA applies to your organization as well.