If you’re an employer that sponsors a health care plan, you may worry about inadvertently violating the Health Insurance Portability and Accountability Act — commonly known as HIPAA. But you should also bear in mind that there is a formal requirement for ensuring electronic data security. Specifically, sponsors of most plans must do a risk analysis to comply with what’s called the HIPAA security rule.
Pertaining to PHI
The HIPAA security rule describes the required risk analysis as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
In this context, a “vulnerability” is a flaw or weakness in a security system that could be exploited (intentionally or accidentally) to breach security. “Risk” is determined by assessing both the likelihood that a vulnerability will be exploited and the extent of the resulting impact on the health plan.
In performing the risk analysis, it’s important to remember that the HIPAA security rule applies only to electronic protected health information (PHI). Employers with insured plans may limit their compliance obligations by minimizing the amount of electronic PHI they create, receive, maintain or transmit. For example, you might structure your plan so individually identifiable information, such as claims data, is maintained exclusively by your insurer.
Also, enrollment information created by the plan sponsor — for instance, when you administer open enrollment — doesn’t constitute PHI because that information isn’t collected on behalf of the plan. Thus, the risk analysis for a small insured plan can be much simpler than that for a large, self-insured plan where the sponsor performs administrative functions.
Surveying your systems
As a first step, identify all hardware, software, facilities, workstations and information systems used in storing, receiving, maintaining or transmitting electronic PHI. You may be surprised at the amount of electronic PHI you have. Next, identify and assess security measures currently in place to protect the electronic PHI, noting specific vulnerabilities and risks. Finally, determine what, if any, additional security measures are needed to respond to the identified vulnerabilities and risks.
It’s particularly important to document completely each step of the risk analysis, including how the health plan reached its conclusions regarding vulnerabilities, risk assessment and security measures. The security rule doesn’t require perfect security but, in the event of a security breach, a health plan must be able to explain why its security measures were appropriate.
Undertaking the process
Note that the HIPAA security rule doesn’t apply to a health plan that has fewer than 50 participants and is self-administered by the employer that established and maintains the plan.
If the rule does apply to you, keep in mind that it doesn’t specify how often employers should conduct a risk analysis. Undertaking the process annually or whenever there’s a major change to your health plan or IT systems is generally recommended. For further information, please contact us.