Employers whose self-insured group health plans experienced a breach of unsecured protected health information in 2016 must act quickly to meet the March 1, 2017 deadline for reporting breaches to the Department of Health and Human Services (“HHS”). Failure to comply could be expensive. We recently reported that the HHS Office of Civil Rights announced a settlement in its first enforcement action under the HIPAA breach notification rule. As part of that settlement, HHS required a health care network to pay $475,000 for failing to report a data breach within the timeframe required by HIPAA.
Employer group health plans are “covered entities” subject to HIPAA. If the employer’s group health plan is insured (i.e., employer pays premiums to insurance carrier, which assumes financial obligation to pay claims), the insurance carrier is the HIPAA-covered entity that is responsible for reporting breaches to HHS. If the employer’s group health plan is self-insured (i.e., employer retains financial obligation to pay claims), the employer’s plan is the HIPAA-covered entity that is responsible for reporting breaches. The third-party claims administrator (which may be an insurance carrier) is not legally responsible for ling breach reports with HHS and typically does not take on that responsibility under its administrative services agreement with the employer. Many employers incorrectly assume that their third-party claims administrator is responsible for ling the breach report with HHS. It is also important to remember that a health care flexible spending account (“FSA”) is considered a self-insured group health plan for this purpose. Breaches with respect to FSAs must also be reported to HHS.
Among other requirements, the HIPAA breach notification rule requires most covered entities to report breaches affecting fewer than 500 individuals within 60 days after the end of the calendar year in which the breach was discovered. This means that for breaches discovered in 2016 that affected fewer than 500 individuals, a covered entity must report the breach to HHS by March 1, 2017. Breaches affecting more than 500 individuals must be reported to HHS not later than 60 days following the covered entity or business associate’s discovery of the breach. Reporting is submitted online at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
Covered entities should act fast to determine whether they experienced any data breaches in 2016, and whether they must report to HHS by the March 1, 2017 deadline. While waiting for anticipated changes to the Affordable Care Act, employers with self-insured group health plans (including any employers with a health FSA) should revisit their basic HIPAA compliance, including
- Reviewing and updating HIPAA policies and procedures (or drafting such documents if they do not currently exist)
- Reviewing business associate agreements for HIPAA compliance and current best practices
- Conducting HIPAA-refresher training for personnel with access to protected health information
We expect that the HHS Office of Civil Rights will continue its HIPAA enforcement efforts even under the Trump administration.