Alert
Alert
02.09.15
Recent data breaches have brought to the attention of employers who sponsor self-insured health benefit plans (“Plans”), many of which are administered by third party administrators (“TPAs”) that are affiliates of national health insurance companies, the need to evaluate their contractual rights to ensure that they can properly respond if their TPA suffers a data breach. Similarly, these events remind TPAs to re-examine their obligations to Plans under applicable laws and their business associate agreements.
TPAs typically perform a variety of administrative services for or on behalf of Plans that require the TPA to create, receive, maintain, and/or transmit protected health information of the Plan’s beneficiaries (“PHI”), and thus are “business associates” subject to the HIPAA regulations concerning the privacy and security of health information (“HIPAA”). As business associates, TPAs must comply with HIPAA’s Security Rule and certain provisions of HIPAA’s Privacy Rule and Data Breach Notification Rule. Business associates that fail to comply are subject to regulatory action under HIPAA’s Enforcement Rule. In addition, HIPAA requires these TPAs to enter into business associate agreements (“BAAs”) with Plans, which create contractual obligations TPAs owe to Plans in connection with the privacy and security of PHI.
HIPAA dictates some of the BAA’s terms, but leaves the parties significant flexibility in establishing the business associate’s obligations. At a minimum, the BAA must require that the TPA comply with those aspects of HIPAA that apply to it, including particularly that the TPA must comply with the Security Rule with respect to PHI in electronic form, and that the TPA report security incidents, data breaches, and other unauthorized uses or disclosures of PHI to the Plan promptly.
When the TPA is a national insurance company or its affiliate, PHI of the self-funded Plan’s beneficiaries is commonly stored in the same systems that the insurer uses to store the information of its insureds. Under HIPAA, both the insurers and the Plans are “covered entities” with respect to their insureds and their beneficiaries, respectively. However, insofar as the insurer is acting as a TPA for a Plan, the insurer’s responsibilities following a data breach of Plan beneficiaries’ PHI are those of a business associate. Therefore, the TPA will have different responsibilities with respect to the PHI of individuals who are insured by the TPA or its affiliate, on the one hand, and the PHI of individuals who are covered by an employer-funded Plan, on the other hand. The response to certain recent data breaches has demonstrated confusion about the parties’ respective legal roles, and this confusion may lead to failures of compliance by both TPAs and Plans.
The breaches of health information most commonly reported publicly are breaches of “unsecured PHI” (i.e., PHI that is not encrypted in accordance with standards established by the U.S. Department of Health & Human Services). HIPAA requires that the business associate report such breaches to the covered entity, as well as other security incidents and unauthorized uses and disclosures of PHI, within specified timeframes. The covered entity in turn must report the breach to affected individuals, the Department of Health & Human Services (“HHS”), and, if the breach involves more than 500 residents of a state or other jurisdiction, the prominent media outlets. A Plan should not assume that a TPA’s response to a data breach appropriate to the TPA’s or its affiliates’ insureds is sufficient to address the Plan’s independent obligations as a covered entity to respond to the data breach.
Moreover, HIPAA requires that the covered entity make those reports of a data breach without unreasonable delay and in no event later than 60 days after the covered entity discovers the breach or would have discovered the breach with the exercise of reasonable diligence. Often, the covered entity first learns of a data breach when the TPA announces it. Receipt of this announcement almost certainly qualifies as “discovery” of the breach, but the announcement may not be a legally sufficient report of the breach under HIPAA or the business associate contract. Thus, while the TPA’s announcement that a breach has occurred marks the beginning of the Plan’s legal responsibilities to respond, the TPA may not for quite some time provide the Plan with the information necessary for the Plan to begin its response.
In addition, certain state laws may impose similar breach reporting responsibilities upon either or both the Plan and the TPA, particularly if the breach involves categories of information beyond PHI, such as personal financial information.
Plans should review their BAAs with TPAs and other business associates and determine the following:
In addition, Plans should review their own HIPAA compliance programs to confirm that they are prepared to perform their responsibilities following a data breach suffered by their TPA, including the making of required reports to individuals, HHS, other agencies and the media. A Plan should also be prepared to investigate and evaluate the circumstances in which the data breach occurred, in order to determine whether to require corrective or other action by the TPA or to terminate its relationship with the TPA. Under HIPAA, when a covered entity determines that a business associate is not acting in compliance with its business associate contract, the covered entity is called upon to take reasonable steps to cure the problem or terminate its relationship with the business associate if it is feasible to do so. Plans should also review their own insurance coverage to determine whether they are sufficiently covered against the risk of data breaches.
Similarly, TPAs should review their HIPAA compliance programs and contractual obligations to confirm that they are prepared to perform their responsibilities, to investigate data breaches and identify and correct deficiencies that may have contributed to the data breach, and to demonstrate to Plans that the TPA has implemented all required corrective action to gain control of the breach and to prevent breaches from occurring in the future.
Download: Time for Self-Funded Employer Health Plans, TPAs to Take Data Breach Issues Seriously