Fusce vel massa nisi. Interdum et malesuada fames ac ante ipsum primis in faucibus. Phasellus purus ipsum, venenatis vel sem vel, dignissim vestibulum libero.
Alerts
Health Equity Breach Notification Offers Sobering Reminder to Sponsors of Self-Funded Medical Plans
Executive Summary
The recent data breach involving HealthEquity, a third-party administrator, underscores the critical need for employers sponsoring self-funded medical plans to remain vigilant about data security and HIPAA compliance. This breach highlights the exposure of sensitive health information and the importance of thorough oversight of third-party vendors.
Health Equity Data Breach Overview
Recent headlines highlight a data breach involving HealthEquity, a third-party administrator (TPA). The firm issued a breach notification stating that health plan "protected health information" (PHI) and "personally identifiable information" (PII) were subject to unauthorized access and potential disclosure.
Impact on Employers
HealthEquity, an HSA administrator who also manages health FSAs, health reimbursement arrangements (HRAs), and other accounts, indicated that various identifying information about employees was compromised, including names, social security numbers, and other sensitive details. More concerning for employers is that the breached information included "HealthEquity benefit type, diagnoses, [&] prescription details ."
Health FSAs and HRAs are self-funded medical plans. HSAs, on the other hand, are generally not medical plans (for this purpose or ERISA purposes generally).
Context of Data Breaches
While data breaches have become commonplace, as evidenced by AT&T's recent announcement of a breach affecting 73 million customers, employers sponsoring self-funded medical plans, including health FSAs and HRAs, have additional reasons to be alarmed. Self-funded medical plans are subject to the Health Insurance Portability and Accountability Act (HIPAA) regarding individually identifiable health information.
HIPAA Compliance Concerns
Health information, including diagnoses and treatments, is considered PHI, which plan sponsors must use and disclose in very limited ways, with serious potential penalties under HIPAA, including criminal penalties and fines exceeding $2 million for willful neglect without corrective action.
Fully Insured vs. Self-Funded Plans
It's important to note that fully insured employer plans are also subject to HIPAA requirements. However, if the employer does not request or receive individually identifiable health information and only obtains summary information that does not identify individuals, the insurance carrier, rather than the employer, is responsible for HIPAA compliance.
Most employers with fully insured plans do not realize that they are subject to the HIPAA privacy rules. They often would like to receive detailed information about large claims for a variety of reasons. However, to retain their exception to the HIPAA privacy rules, they must maintain a “hands-off” approach to PHI.
Liability for Third-Party Vendor Breaches
Additionally, employers can be held liable for HIPAA breaches by third-party vendors that administer their plans. Employers routinely obtain business associate agreements (BAAs) from these vendors to comply with HIPAA privacy regulations and to ensure vendors adhere to privacy rules. However, recent guidance clarifies that BAAs do not absolve employers of responsibility for vendor breaches. Plan sponsors must oversee vendors to ensure compliance with HIPAA rules.
This requirement is often difficult for employers to manage. They hire TPAs and other vendors precisely because they do not have the expertise to administer their medical plans directly. Therefore, while employers might not be able to oversee the operations of the vendors in any meaningful way, they should maintain some process where they require the business associates to regularly renew their commitment to maintaining PHI properly.
Recommendations for Employers
Employers using HealthEquity should ensure the company takes necessary steps to mitigate the potential damage from the privacy breach. This likely involves contacting HealthEquity to inquire about their plans for further mitigation. The breach notification did not directly address HIPAA concerns and only offered financial advice for affected individuals. Employers should request more information from HealthEquity before closing the books on this data breach.
Additional Considerations:
Incident Response Plan: Employers should review and potentially update their incident response plans to ensure they can quickly and effectively address future data breaches. This plan should include clear steps for communicating with affected individuals, regulatory bodies, and other stakeholders.
Employee Training: Ongoing training for employees on data security and privacy practices is crucial. Employees should be aware of how to handle PHI and PII properly and understand the protocols for reporting suspicious activities or potential breaches.
Review HIPAA Policies and Procedures: Any employer with a self-funded medical plan is required to have written policies and procedures to maintain the privacy and security of PHI. Part of that requires that the employer appoint a Privacy Official and a Security Official to oversee compliance with the adopted policies and procedures. Any employee that is required, as part of the individual’s job, to have access to PHI, must be a “designated employee” and be explicitly trained specifically in the plan’s privacy policies and procedures.
Vendor Management: Employers should conduct regular audits and assessments of their third-party vendors’ security practices. It is essential to ensure Ensuring that vendors adhere to stringent data protection standards and regularly reviewing BAAs for compliance with the latest HIPAA guidelines is essential.
Legal Counsel Consultation: Engaging with legal counsel experienced in data privacy and security can provide employers with up-to-date advice on compliance requirements and strategies to minimize legal risks associated with data breaches.
Insurance Coverage: Employers may want to consider cyber liability insurance to cover potential costs associated with data breaches, including legal fees, notification expenses, and fines.
Technological Safeguards: Implementing advanced technological safeguards, such as encryption, multi-factor authentication, and regular security updates, can significantly reduce the risk of data breaches. Regular penetration testing and vulnerability assessments can also help identify and address security weaknesses.
Addressing these additional considerations can strengthen employers' data protection strategies and better prepare for potential future incidents.
Conclusion
The HealthEquity data breach serves as a stark reminder for employers to prioritize data security and maintain stringent oversight of third-party vendors. By ensuring compliance with HIPAA regulations and demanding transparency from service providers, employers can better protect sensitive health information and mitigate potential risks associated with data breaches.
This Legal Update is not intended to be exhaustive, nor should any discussion or opinion be construed as legal advice. Readers should contact legal counsel for legal advice. All rights reserved.
About the Author
Senior Vice President, Director of Benefits Compliance
- Jay has 30+ years of experience as a tax attorney, specializing in employee benefits programs.
- Responsible for helping World's clients keep their benefit plans within the boundaries of all applicable laws and regulations while simultaneously enhancing the experience and plan results
Related Resources & Insights
- 2024 Open Enrollment Checklist
- Navigating Fiduciary Waters: Lessons from the Johnson & Johnson Litigation for Health Plan Sponsors
- 2025 Open Enrollment Checklist
- Tri Agencies Issue Final Regulations to Implement Updates to the Mental Health Parity and Addiction Equity Act
- Annual Filing Deadline (for most plans) is Approaching