Health plan sponsors should take note: Regulators are increasing their focus on the privacy and security of health information. And failure to comply with the latest guidance on these areas could prove costly.
In their article “Risks Abound: What’s Going on With Health Information and Cybersecurity” in the November/December issue of Benefits Magazine, attorneys Katherine R. Kratcha and Sarah A. Sargent provide an update on enforcement efforts and litigation related to the Health Insurance Portability and Accountability Act (HIPAA) and data security practices.
What Are the Rules?
The authors explain that the HIPAA Privacy and Security Rules establish standards for how covered entities, such as group health plans and their vendors, should handle protected health information (PHI), which could include information such as a health plan member’s mail address or medical record number.
What Happens If Plans Violate These Rules?
Entities that fail to comply with the Privacy and Security Rules could face an investigation or enforcement action from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Penalties include civil or criminal fines and criminal charges. Civil penalties can range from $100 to $500,000 per violation.
What’s New?
Kratcha and Sargent discuss the following trends related to HIPAA enforcement actions and cybersecurity.
DOL Asking Cybersecurity Questions
The Department of Labor (DOL) has begun asking questions and requesting documents on health plan cybersecurity during health plan investigations, the authors note. Many of these requests are consistent with DOL guidance from April 2021 that was generally directed at retirement plans. Kratcha and Sargent say recent investigations indicate that DOL has gained enough experience with cybersecurity to start questioning fiduciaries of health plans.
Use of Online Tracking Technologies
In 2022, the Office of Civil Rights (OCR) issued guidance on the use of online tracking technologies by HIPAA-covered entities and business associates. This guidance clarified that the use of online tracking technologies, such as the Meta pixel, Google Analytics or other website cookies, could result in the impermissible sharing of PHI, the authors explain.
After this guidance came out, multiple lawsuits were filed against health care providers alleging that they violated the HIPAA Privacy Rule by sharing IP addresses with technology providers without a business associate agreement or any other basis that permitted such disclosures.
Health plans should pay attention to this trend in case they use tracking technologies. An example would be if a health plan’s web page requires a user to log in and uses website analytics to track how they navigate the website.
To avoid litigation, the authors advise plans to first investigate whether and how their websites or mobile applications use tracking technologies. If they are being used, plans should make sure they know what information is being collected and shared with technology vendors. If PHI could be shared with a vendor, then a business associate agreement must be in place with that vendor. In addition, plans that rely on vendors to manage tracking technologies should practice caution, since many vendors do not fully understand the latest OCR guidance, Kratcha and Sargent write.
Impacts of Large Vendor Data Breaches
Large vendor data breaches over the last few years have impacted HIPAA-covered entities and health plans. An initial court decision in one vendor data breach–related lawsuit should put health plans on notice to make sure that their vendor contracts are well-negotiated, the authors warn. Following a 2020 ransomware attack against software provider Blackbaud, Inc., a court ruled that the company did not owe any fiduciary duties to one of its customers, Trinity Health, leaving it on the hook for costs related to mailing notices, providing credit monitoring and legal fees to patients affected by the data breach.
With that in mind, Kratcha and Sargent recommend that health plans include the following provisions in their contracts or business associate agreements with key vendors that have access to PHI:
- Specific security requirements above and beyond mere compliance with law
- Detailed reporting requirements related to data breaches
- An obligation to effectuate notice at the direction of the plan or to reimburse the plan for any incurred notification costs
- A provision requiring the vendor to indemnify the plan for any costs related to a data breach
- An exclusion from the limitation of liability for any data breach related costs.
OCR Reorganization
Changes at OCR likely signal an increased focus on enforcement of health information regulations, the authors write. OCR is reorganizing into three new divisions: Enforcement, Policy and Strategic Planning. It is also renaming the Health Information Privacy Division to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better reflect its cybersecurity work. HIPDC will support the three new divisions in addressing health information privacy and cybersecurity.
“The name of the new enforcement division makes its mission clear; OCR intends for the division to more effectively respond to complaints and drive greater enforcement of the law,” Kratcha and Sargent comment.
Where Should Plans Focus Their Efforts?
The authors write that in OCR’s most recent Report to Congress, the agency identified several areas under the Security Rule where plans need to improve compliance, including the following:
- Conducting risk analyses, implementing security risk management measures and regularly reviewing system activity
- Implementing audit controls to catch and review malicious activity
- Allowing only those with proper access rights into systems containing electronic PHI.
“Breaches and cyber-threats are not likely to decline in 2024. Plan sponsors should take the time to consider their plans’ security and make any necessary changes for their protection,” Kratcha and Sargent conclude.