The Anthem and Premera Blue Cross data breaches caused widespread panic throughout the employer health plan community earlier this year. For many, these data breach announcements served as a wakeup call for employer health plan sponsors to review and further refine their business associate contracts.
As a health plan sponsor, the employer is responsible for its health plan’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In carrying out its responsibilities under the plan, an employer may delegate some or all of those responsibilities to one or more business associates, but the employer remains ultimately responsible for the plan’s HIPAA compliance. A “business associate” is any party providing services to the health plan that receives, or may receive, protected health information (PHI) from the health plan. A health plan typically has multiple business associates, which can include insurers, administrative service providers, consultants and claim administrators. It is, therefore, important that employer health plan sponsors be able to identify the health plan’s business associates and to have on file copies of their service agreements and business associate contracts.
Although HIPAA mandates certain provisions be included in business associate contracts, it became clear in the aftermath of these data breaches that many service agreements and business associate contracts lacked transparency. Accordingly, employers may need to review their business associate contracts for necessary revisions to reflect the lessons learned from the Anthem and Premera Blue Cross data breaches, namely:
- clarifying the responsibilities of the employer health plan sponsor, the health plan and the business associate in the event of a data breach under both HIPAA and any applicable state breach notification laws;
- refining liability and indemnification provisions in the event of a breach; and
- describing the obligations of the business associate with respect to personally identifiable information (versus only addressing personal health information).
The recent large-scale data breaches serve as a reminder that HIPAA imposes significant responsibilities on group health plans and employers may wish to consider using this as an opportunity to review underlying business associate contracts so that they are prepared if their group health plans become subject to such a breach.