Recently, health entities have experienced cybersecurity attacks at an alarming rate, causing concern for the integrity of the healthcare system. The information compromised during these attacks may include personally identifiable information (“PII”), which includes names, dates of birth, and social security numbers. In response, the Department of Health and Human Services’ Office of Civil Rights (“OCR”), which oversees compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), issued a warning to Covered Entities, such as multiemployer health plans, to remain vigilant with their compliance with HIPAA and the Department of Labor’s (“DOL”) cybersecurity guidance found in its release number 21-358-NAT.
And cyber criminals are not solely focused on attacking health or retirement plans. They have also targeted the “Business Associates,” meaning entities that provide to the plans legal, billing, or auditing services. These services often require the transfer of PII and Protected Health Information (“PHI”). PHI is any information that is individually identifiable, meaning it identifies an individual from the information given, and it pertains to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.
To protect its participants, a Covered entity must enter into a Business Associate Agreement (the “Agreement”) with the Covered Entity before transferring PII and PHI. This Agreement binds the Business Associate to the privacy and security provisions set forth in HIPAA. Due to the significance of the recent attacks, OCR has indicated that the department will begin auditing health plans primarily with a focus of having adequate Business Associate Agreements in place with each relevant provider. Therefore, it is our suggestion for each plan to review their relationship with their service providers and ensure that the appropriate Business Associate Agreements, and the terms included in those agreements, are in place.
It is also important to note that health plans are unique when it comes to cybersecurity compliance. This is because they must comply with HIPAA’s privacy and security requirements as well as the DOL’s cybersecurity guidance.
For more information on HIPAA security requirements, you may visit:
OCR HIPAA Security Rule Guidance Material:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks:
https://www.youtube.com/watch?v=VnbBxxyZLc8
Factsheet: Ransomware and HIPAA: