14 Sep Analyze Your Health Plan’s Electronic Security to Comply With HIPAA
If you are an employer that sponsors a health care plan, you may worry about inadvertently violating the Health Insurance Portability and Accountability Act — commonly known as HIPAA. But you also should keep in mind that there is a formal requirement for ensuring electronic data security. Specifically, sponsors of most plans must do a risk analysis to comply with the HIPAA security rule.
Pertaining to Protected Health Information (PHI)
The HIPAA security rule describes the required risk analysis as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
In this context, a ‘vulnerability’ is a flaw or weakness in a security system that could be exploited (intentionally or accidentally) to breach security. ‘Risk’ is determined by assessing both the likelihood that a vulnerability will be exploited and the extent of the resulting impact on the health plan.
In performing the risk analysis, it is important to remember that the HIPAA security rule applies only to electronic PHI. Employers with insured plans may limit their compliance obligations by minimizing the amount of electronic PHI they create, receive, maintain, or transmit. For example, you might structure your plan so individually identifiable information, such as claims data, is maintained exclusively by your insurer.
Also, enrollment information created by the plan sponsor — for instance, when you administer open enrollment — does not constitute PHI because that information is not collected on behalf of the plan. Thus, the risk analysis for a small insured plan can be much simpler than that for a large, self-insured plan where the sponsor performs administrative functions.
Surveying your systems
As a first step, identify all hardware, software, facilities, workstations, and information systems used in storing, receiving, maintaining or transmitting electronic PHI. You may be surprised at the amount of electronic PHI you have. Next, identify and assess security measures currently in place to protect the electronic PHI, noting specific vulnerabilities and risks. Finally, determine what, if any, additional security measures are needed to respond to the identified vulnerabilities and risks.
It is particularly important to document completely each step of the risk analysis, including how the health plan reached its conclusions regarding vulnerabilities, risk assessment, and security measures. The security rule does not require perfect security but, in the event of a security breach, a health plan must be able to explain why its security measures were appropriate.
Undertaking the process
Note that the HIPAA security rule does not apply to a health plan that has fewer than 50 participants and is self-administered by the employer that established and maintains the plan.
If the rule does apply to you, keep in mind that it does not specify how often employers should conduct a risk analysis. Undertaking the process annually or whenever there is a major change to your health plan or information technology systems is generally recommended. For further information, please contact us.