2023 Data Security Incident Response Report Get the Full Report

Employer-Sponsored Health Plans

Share this chapter

HIPAA Affects More Than Healthcare Providers

Non-healthcare companies may not always understand that certain information related to employee health benefit plans is regulated by HIPAA, and any breach of this data is subject to enforcement and penalties by the Office for Civil Rights (OCR). Just as a hospital must comply with HIPAA’s Privacy, Security, and Breach Notification Rules, employer-sponsored health plans are also considered HIPAA “Covered Entities” and must comply with the same regulations, even if the company itself is not a healthcare provider. When a threat actor steals data from directories on a file server used by the HR department and PHI related to the plan is stored there, both state laws and HIPAA’s breach notification rule must be considered. These scenarios are fairly common in ransomware incidents, and they greatly increase the complexity of the response effort.

Why Does HIPAA Apply?

So why are manufacturers, technology, hospitality, energy, and financial services companies subject to a “healthcare” law?  It’s because HIPAA also governs “group health plans,” which include both fully insured and self-insured employee welfare benefit plans that (1) have 50 or more participants or use a third-party administrator, and (2) provide payment for medical care. The employer, in its role as the plan sponsor or plan administrator, must maintain a HIPAA compliance program and safeguard participant protected health information (PHI).

Most companies use third-party administrators (e.g., United Healthcare, Blue Cross) to administer claims on behalf of the health plan.  Enrollment and claims information is subject to HIPAA. The third-party administrator is the plan’s Business Associate, and the plan is the covered entity (bearing liability for a breach).

Regulators Are Actively Investigating Employer-Sponsored Plans

The OCR has likely seen an increase in breach notifications from employer plans, and post-incident investigations now are being opened on a routine basis (some with fewer than 500 individuals involved). We are also seeing follow-on investigations from the Department of Labor with a focus on the plan’s overall cybersecurity posture.

“Employer-sponsored health plans are considered HIPAA ‘Covered Entities’ and must comply with the same regulations, even if the company itself is not a healthcare provider.”

Take Action:
Conduct a Risk Assessment.

Prioritize a review of all data held by human resources and other internal departments with access to plan-related information to identify what is covered by HIPAA and determine whether a sufficient compliance program is in place. All companies should:

Assess Their Benefit and Wellness Programs

Identify benefit offerings subject to HIPAA, as the regulations cover more than just “health insurance.” Covered plans may include health, dental, vision, employee assistance programs, health reimbursement arrangements, wellness programs, and health spending accounts.

Track Plan Information

Identify where, why, and to what extent plan PHI is created, received, maintained, or transmitted by the plans and Business Associates. The discussion should involve IT, finance, HR, legal, and other departments that may handle PHI as part of their job functions. Look for files with enrollment information, high-spend reports, and claims information. Apply a retention program and get rid of files no longer needed.

Implement a Compliance Program

The program should include appropriate policies and procedures based on the type of plan, HIPAA-specific training, and an annual HIPAA security risk analysis and risk management plan. Companies should also review their plan documents to ensure they include the HIPAA-required components and certification.

“We are seeing follow-on investigations from the Department of Labor with a focus on the employer plan’s overall cybersecurity posture.”