Group Plans More Susceptible than Ever to Security Violations

Many healthcare executives fall prey to two common misconceptions about data breaches: that the only companies making headlines for lax data security are big retailers like Target and that the biggest culprits are teenage hackers or sophisticated teams working in China or Eastern Europe.

Plenty of healthcare organizations are getting burned for inept data security. On the Department of Health and Human Services website there’s a page that’s been dubbed the “Wall of Shame”that contains a list of all the organizations that have had a breach of 500 or more Protected Health Information (PHI) records.

On this webpage, you’ll find the names of almost 1,000 large and small healthcare organizations responsible for data breaches affecting over 31 million Americans. Yet only about 6 percent of the breaches listed are due to hacking. The other 94 percent are caused by employees, yours or those of your many business associates (BAs). Most breaches are caused by simple human errors: stolen or lost unencrypted laptops, improper disposal of paper, mailings to wrong addresses, uploads to public websites, etc.

The penalties for HIPAA violations and data breaches can run into the millions of dollars when you add up forensics, notification costs, legal fees, regulatory penalties, class action lawsuits, and lost business due to reputational damage. A single HIPAA violation involving willful neglect used to carry a maximum penalty of $25,000; now it’s a staggering $1.5 million. And don’t forget: a single data breach usually involves multiple HIPAA violations.

Group Health Plans Especially Vulnerable

While other covered entities have fairly clear-cut responsibilities under the ever-evolving HIPAA regulations, it’s a bit trickier for group health plans (GHPs).

Due to the sensitivity of employer access to employee health information and concern that it might be used in employment decisions, GHPs have additional HIPAA requirements related to the access and disclosure of member PHI.  Depending on the amount of PHI available to the plan, those requirements might include restriction of uses and disclosures without authorization, amendment of the plan documents and Notice of Privacy Practices, and adequate separation between the GHP and the plan sponsor.

In addition, GHPs notably tend to engage a significant number of business associates to handle various administrative services, such as enrollment, eligibility, claims management, quality improvement and IT services.  The Omnibus Final Rule extended the accountability for the confidentiality, integrity and availability of PHI to business associates, which resulted in new HIPAA requirements for BAs and BA agreements.

Every GHP is now required to have updated BA agreements in place for all service providers with access to PHI.  These agreements must include provisions that impose on BAs the same restrictions on use and disclosure of PHI that apply to the plan sponsor – and require corresponding restrictions on any of their downstream subcontractors.

Here are some ways that a GHP can reduce its exposure to HIPAA violations and data breaches:

Clarify policies and procedures

Depending on the amount of PHI accessible to GHP employees, it’s critical to document policies and procedures that cover all applicable regulations, and specifically prohibit activities like snooping, which can be a temptation for GHP employees checking up on colleagues or company officers. All GHP employees and BAs need to know exactly what’s prohibited, and it’s wise to have tiered sanctions based on the circumstances of a violation (e.g., whether the access/disclosure was malicious or unintentional, first-time or repeat offense, and so on).

Implement a comprehensive training program

Don’t rely on a 30-minute online general HIPAA training course alone. Employees need to understand how the HIPAA regulations relate specifically to their job responsibilities and how to handle situations involving requests for access or reporting suspected or confirmed violations. It’s also important to maintain logs of training completion in order to impose sanctions against employees who skip the training and to provide evidence to regulators that you’re being diligent in educating your staff.

Complete a HIPAA security risk analysis

The HIPAA Security Rule requires that you conduct a bona fide security risk analysis to identify all current threats, vulnerabilities, safeguards and controls associated with assets that receive, create, maintain or transmit PHI.  There’s a common denominator among organizations cited on the Wall of Shame and those that are under settlement agreements with the Office for Civil Rights: virtually all failed to conduct a bona fide security risk analysis.

Strengthen your BA relationships

Ensure that all your BAs have signed up-to-date BA agreements incorporating the requirements of the Omnibus Final Rule.  Risk-rate your BAs to determine your highest exposure areas in terms of the data they have, the services they provide and the likelihood and impact of a breach.  Assign a relationship owner and consider requiring annual testation of compliance from your high-risk BAs.

Estimating the impact

There’s an unbiased way to determine your organization’s exposure to the ramifications of a data breach. The American National Standards Institute (ANSI) offers a free publication called “The Financial Impact of Breached Protected Health Information” (available online at This document provides an excellent overview of the data breach landscape and includes tools for calculating the cost of a breach specifically for your organization.

Recently a well-known GHP experienced a major breach when its benefits BA hired a rogue employee from a temp agency who stole the medical records of over 5,000 current and former employees and their families. That’s a completely preventable problem if your organization takes these recommended steps.

This article was featured on






Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.