[BreachExchange] HIPAA Compliance – Not Just an Issue for Health Care Providers

[Audrey McNeil]

http://www.jdsupra.com/legalnews/hipaa-compliance-
not-just-an-issue-for-31185/

Many people believe that compliance with the Health Insurance Portability
and Accountability Act of 1996 (“HIPAA”) is solely an issue for health care
providers and their affiliates. However, nothing could be further from the
truth. As described below, any employer that sponsors a self-insured group
health plan for its employees will have substantial HIPAA compliance
obligations and the failure to satisfy such obligations can have
significant adverse consequences. Therefore, as part of the acquisition due
diligence process, it is essential for potential purchasers to assess a
target company’s level of HIPAA compliance.

HIPAA established rules to protect the privacy and security of individuals’
health information that is held by “covered entities.” In addition to
health care providers, “covered entities” include employer health plans.
Therefore, because “covered entities” include employer health plans, many
businesses that have no connection to the health care industry must still
be concerned about HIPAA compliance with respect to the health plans that
they provide to their employees. If an employer health plan is fully
insured, most of the HIPAA compliance burden will fall on the insurance
carrier. However, even an employer with a fully insured health plan will
still have HIPAA compliance obligations if it offers its employees a health
care flexible spending account. In contrast, an employer with a
self-insured health plan will have a much greater HIPAA compliance burden.

The Department of Health and Human Services (“HHS”) has issued HIPAA
privacy, security and breach notification regulations, aimed at protecting
the privacy and security of individually identifiable health information
(the “HIPAA Rules”). The HIPAA Rules require all covered entities to take
specific actions, including implementing policies and procedures that are
reasonably designed to comply with the privacy standards, designating
privacy and security officers, providing a notice of privacy practices,
training workforce members regarding privacy and security protocols and
performing a security “risk analysis” including the implementation of a
risk management plan. In addition, HHS is authorized to conduct periodic
audits to ensure that covered entities comply with the HIPAA Rules. HHS is
currently in the second round of its HIPAA audit program. Failure to be in
compliance with the HIPAA Rules can result in significant financial
penalties.

Conducting a risk analysis should be one of the first steps in an
organization’s efforts to comply with the HIPAA Rules. A security risk
analysis involves an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information (“EPHI”) held by a
covered entity. Importantly, a thorough and accurate risk analysis is
critical for determining whether a particular security measure is
reasonable and appropriate to meet an organization’s HIPAA obligations. For
example, the result of the risk analysis should directly guide the covered
entity in designing appropriate personnel-screening processes, determining
whether and how to use encryption, and identifying what data to backup and
the appropriate procedure for doing so. In addition, security risk analysis
should be conducted on an ongoing basis in order for a covered entity to
comply with the requirement under the HIPAA Rules to review and modify, as
needed, its security measures to continue providing reasonable and
appropriate protection of EPHI. As technology is updated within an
organization and workforce members who are responsible for HIPAA compliance
leave an organization, it is important that risks be evaluated and that
necessary changes to compliance programs be addressed.

HHS recently released an interactive security risk assessment (“SRA”) tool
to assist small to medium-sized health care providers in complying with the
security risk analysis requirement.1 The SRA tool is a software application
that may be used to perform and document security risk analysis.
Specifically, the SRA tool consists of 156 questions addressing each
standard and implementation specification relating to the administrative,
physical and technical safeguards required under the HIPAA Rules, including
basic security practices, security failures, risk management and personnel
issues. Each question is annotated with useful information for the user,
including, for example, an explanation of possible threats and
vulnerabilities, examples of best practices to address such threats and
vulnerabilities, and a general explanation of the things to consider in
answering the question. As such, the SRA tool provides the user with the
opportunity to identify, on an ongoing basis, the current security measures
and any areas of potential threats and vulnerability affecting EPHI, and to
design a risk management plan that is appropriate and reasonable to address
any deficiencies in the organization’s security measures for purposes of
complying with the HIPAA Rules.

Although the SRA tool was not designed specifically for group health plans,
it is comprehensive and will assist in identifying any gaps in compliance.
However, the SRA tool will require substantial time and effort on the part
of any covered entities that choose to use it. Yet, in the long run, the
SRA tool may be a cost-effective resource that allows the user to avoid the
cost of a third party vendor analysis.

Every company with a self-insured health plan or flexible spending account
should have a robust HIPAA compliance program. Failure to do so can have
significant adverse financial consequences. Therefore, as part of the
acquisition due diligence process, all potential purchasers should be
requiring a copy of the target company’s security risk analysis for its
employee health plan together with a copy of the health plan’s risk
management plan. In addition, purchasers should require disclosure of the
health plan’s HIPAA policies and procedures and evidence that the target’s
workforce has been properly trained with respect to HIPAA compliance.
Likewise, the applicable acquisition documents should require the target to
provide fulsome representations and warranties regarding its HIPAA
compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161011/06c0d232/attachment.html>