This month's compliance Q&A is about the breach notification rule. With all of the recent large breaches it has been a question we hear often. David Holtzman addresses reporting requirements.
A health plan that provides benefits to our employees just suffered a mega breach. What are our responsibilities under the HIPAA Breach Notification Rule?
The recent breaches involving Anthem and Premera have affected a number of employer sponsored group health plans. If your group health plan has contracted with a health plan to administer its benefits, then it may have primary responsibility if the third-party administrator has a breach. Covered entities under HIPAA are healthcare clearinghouses, certain healthcare providers, and health plans. A "group health plan" is one type of health plan and is a covered entity (except for self administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. The Privacy Rule and the Breach Notification Rule recognizes that most fully insured group health plans may not need to satisfy all of the requirements of the Rules since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. However, self-funded or self-insured employer sponsored health plans are covered entities. Often, these benefit plans contract with a health insurer to act as the third party administrator for the plan. In this case the health insurer is the business associate to the group health plan. Under the Breach Notification Rule, a covered entity is responsible for notification to individuals when a business associate suffers a breach. Some organizations have delegated this responsibility through its business associate agreements. Group health plans should take action now to review policies for breach notification assessment and response to make sure they are prepared to respond to an incident involving their health insurer.