The recent data breach involving HealthEquity, a third-party administrator, underscores the critical need for employers sponsoring self-funded medical plans to remain vigilant about data security and HIPAA compliance. This breach highlights the exposure of sensitive health information and the importance of thorough oversight of third-party vendors.
Recent headlines highlight a data breach involving HealthEquity, a third-party administrator (TPA). The firm issued a breach notification stating that health plan "protected health information" (PHI) and "personally identifiable information" (PII) were subject to unauthorized access and potential disclosure.
HealthEquity, an HSA administrator who also manages health FSAs, health reimbursement arrangements (HRAs), and other accounts, indicated that various identifying information about employees was compromised, including names, social security numbers, and other sensitive details. More concerning for employers is that the breached information included "HealthEquity benefit type, diagnoses, [&] prescription details ."
While data breaches have become commonplace, as evidenced by AT&T's recent announcement of a breach affecting 73 million customers, employers sponsoring self-funded medical plans, including health FSAs and HRAs, have additional reasons to be alarmed. Self-funded medical plans are subject to the Health Insurance Portability and Accountability Act (HIPAA) regarding individually identifiable health information.
Health information, including diagnoses and treatments, is considered PHI, which plan sponsors must use and disclose in very limited ways, with serious potential penalties under HIPAA, including criminal penalties and fines exceeding $2 million for willful neglect without corrective action.
It's important to note that fully insured employer plans are also subject to HIPAA requirements. However, if the employer does not request or receive individually identifiable health information and only obtains summary information that does not identify individuals, the insurance carrier, rather than the employer, is responsible for HIPAA compliance.
Additionally, employers can be held liable for HIPAA breaches by third-party vendors that administer their plans. Employers routinely obtain business associate agreements (BAAs) from these vendors to comply with HIPAA privacy regulations and to ensure vendors adhere to privacy rules. However, recent guidance clarifies that BAAs do not absolve employers of responsibility for vendor breaches. Plan sponsors must oversee vendors to ensure compliance with HIPAA rules.
Employers using HealthEquity should ensure the company takes necessary steps to mitigate the potential damage from the privacy breach. This likely involves contacting HealthEquity to inquire about their plans for further mitigation. The breach notification did not directly address HIPAA concerns and only offered financial advice for affected individuals. Employers should request more information from HealthEquity before closing the books on this data breach.
Incident Response Plan: Employers should review and potentially update their incident response plans to ensure they can quickly and effectively address future data breaches. This plan should include clear steps for communicating with affected individuals, regulatory bodies, and other stakeholders.
Employee Training: Ongoing training for employees on data security and privacy practices is crucial. Employees should be aware of how to handle PHI and PII properly and understand the protocols for reporting suspicious activities or potential breaches.
Review HIPAA Policies and Procedures: Any employer with a self-funded medical plan is required to have written policies and procedures to maintain the privacy and security of PHI. Part of that requires that the employer appoint a Privacy Official and a Security Official to oversee compliance with the adopted policies and procedures. Any employee that is required, as part of the individual’s job, to have access to PHI, must be a “designated employee” and be explicitly trained specifically in the plan’s privacy policies and procedures.
Vendor Management: Employers should conduct regular audits and assessments of their third-party vendors’ security practices. It is essential to ensure Ensuring that vendors adhere to stringent data protection standards and regularly reviewing BAAs for compliance with the latest HIPAA guidelines is essential.
Legal Counsel Consultation: Engaging with legal counsel experienced in data privacy and security can provide employers with up-to-date advice on compliance requirements and strategies to minimize legal risks associated with data breaches.
Insurance Coverage: Employers may want to consider cyber liability insurance to cover potential costs associated with data breaches, including legal fees, notification expenses, and fines.
Technological Safeguards: Implementing advanced technological safeguards, such as encryption, multi-factor authentication, and regular security updates, can significantly reduce the risk of data breaches. Regular penetration testing and vulnerability assessments can also help identify and address security weaknesses.
Addressing these additional considerations can strengthen employers' data protection strategies and better prepare for potential future incidents.
The HealthEquity data breach serves as a stark reminder for employers to prioritize data security and maintain stringent oversight of third-party vendors. By ensuring compliance with HIPAA regulations and demanding transparency from service providers, employers can better protect sensitive health information and mitigate potential risks associated with data breaches.
This Legal Update is not intended to be exhaustive, nor should any discussion or opinion be construed as legal advice. Readers should contact legal counsel for legal advice. All rights reserved.