HIPAA Affects More Than Healthcare Providers
Non-healthcare companies may not always understand that certain information related to employee health benefit plans is regulated by HIPAA, and any breach of this data is subject to enforcement and penalties by the Office for Civil Rights (OCR). Just as a hospital must comply with HIPAA’s Privacy, Security, and Breach Notification Rules, employer-sponsored health plans are also considered HIPAA “Covered Entities” and must comply with the same regulations, even if the company itself is not a healthcare provider. When a threat actor steals data from directories on a file server used by the HR department and PHI related to the plan is stored there, both state laws and HIPAA’s breach notification rule must be considered. These scenarios are fairly common in ransomware incidents, and they greatly increase the complexity of the response effort.
Why Does HIPAA Apply?
So why are manufacturers, technology, hospitality, energy, and financial services companies subject to a “healthcare” law? It’s because HIPAA also governs “group health plans,” which include both fully insured and self-insured employee welfare benefit plans that (1) have 50 or more participants or use a third-party administrator, and (2) provide payment for medical care. The employer, in its role as the plan sponsor or plan administrator, must maintain a HIPAA compliance program and safeguard participant protected health information (PHI).
Most companies use third-party administrators (e.g., United Healthcare, Blue Cross) to administer claims on behalf of the health plan. Enrollment and claims information is subject to HIPAA. The third-party administrator is the plan’s Business Associate, and the plan is the covered entity (bearing liability for a breach).
Regulators Are Actively Investigating Employer-Sponsored Plans
The OCR has likely seen an increase in breach notifications from employer plans, and post-incident investigations now are being opened on a routine basis (some with fewer than 500 individuals involved). We are also seeing follow-on investigations from the Department of Labor with a focus on the plan’s overall cybersecurity posture.