Employer Health Plans: Taking Responsibility for Your Business Associates

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/employer-health-plans-taking-21406/

The Anthem and Premera Blue Cross data breaches caused widespread panic
throughout the employer health plan community earlier this year. For many,
these data breach announcements served as a wakeup call for employer health
plan sponsors to review and further refine their business associate
contracts.

As a health plan sponsor, the employer is responsible for its health plan’s
compliance with the Health Insurance Portability and Accountability Act of
1996 (HIPAA). In carrying out its responsibilities under the plan, an
employer may delegate some or all of those responsibilities to one or more
business associates, but the employer remains ultimately responsible for
the plan’s HIPAA compliance. A “business associate” is any party providing
services to the health plan that receives, or may receive, protected health
information (PHI) from the health plan. A health plan typically has
multiple business associates, which can include insurers, administrative
service providers, consultants and claim administrators. It is, therefore,
important that employer health plan sponsors be able to identify the health
plan’s business associates and to have on file copies of their service
agreements and business associate contracts.

Although HIPAA mandates certain provisions be included in business
associate contracts, it became clear in the aftermath of these data
breaches that many service agreements and business associate contracts
lacked transparency. Accordingly, employers may need to review their
business associate contracts for necessary revisions to reflect the lessons
learned from the Anthem and Premera Blue Cross data breaches, namely:

- clarifying the responsibilities of the employer health plan sponsor, the
health plan and the business associate in the event of a data breach under
both HIPAA and any applicable state breach notification laws;
- refining liability and indemnification provisions in the event of a
breach; and
- describing the obligations of the business associate with respect to
personally identifiable information (versus only addressing personal health
information).

The recent large scale data breaches serve as a reminder that HIPAA imposes
significant responsibilities on group health plans and employers may wish
to consider using this as an opportunity to review underlying business
associate contracts so that they are prepared if their group health plans
become subject to such a breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!