[BreachExchange] How Employers Can Become Experts at Data Breaches: Breaches involving employee health information

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 30 19:30:28 EDT 2017


https://www.lexology.com/library/detail.aspx?g=26961632-d635-45ff-a078-
393257c0c022

A large portion of the data breaches that occur each year involve human
resource related information. Bryan Cave has put together a multi-part
series to help human resource managers understand, prepare for, and react
to, a data breach.

This part discusses a specific type of data security breach – those that
involve health information about an organization’s employees.

Employers that operate a self-insured health insurance program may be
subject to the requirements of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) in the event of a breach. Although HIPAA
is a federal law, it does not preempt state laws that provide even greater
protection of patient information, so state laws may still need to be
examined in the event of a breach involving protected health information
(PHI).

PHI is defined as any individually identifiable health information that is
transmitted or maintained in any form or medium; is held by a covered
entity or its business associate; identifies the individual or offers a
reasonable basis for identification; is related or received by a covered
entity or any employer; and relates to a past, present or future physical
or mental condition, provision of health care or payment for health care to
that individual.

Entities that are directly covered under HIPAA include healthcare providers
(e.g., doctors or hospitals) that conduct certain transactions in
electronic form, health plans (e.g., health insurance companies), and
healthcare clearinghouses (e.g., third-party organizations that host,
handle, or process medical information). It also includes self-funded
health insurance plans. HIPAA also creates obligations for “business
associates.” A business associate is any person or organization, other than
a member of a covered entity’s workforce that performs services or
activities for, or on behalf of, a covered entity if such services or
activities involve the use or disclosure of PHI. For example, business
associates can include third-party claims administrators, billing agents,
consultants, attorneys, or accountants who provide services for a covered
entity that involves access to PHI, or a medical record transcriptionist.
HIPAA requires that the covered entity contractually require the business
associate to comply with the privacy and security rules under HIPAA.

The HIPAA Breach Notification Rule requires covered entities to provide
notification of a breach involving PHI to affected individuals, the
Secretary of the United States Department of Health and Human Services,
and, in certain circumstances, to the media. In addition, business
associates must notify covered entities if a breach occurs at or by the
business associate. The timing of the notification to the Secretary depends
on the number of persons affected by the breach. If the breach involves 500
or more persons, then the Secretary must be notified without unreasonable
delay. For fewer than 500 persons, notification may be made on an annual
basis.

Covered entities are also required to have in place written policies and
procedures regarding breach notification, to train employees on these
policies and procedures, and to develop and apply appropriate sanctions
against workforce members who do not comply with these policies and
procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171030/8500b824/attachment.html>


More information about the BreachExchange mailing list