Many employers with a self-insured group health plan (GHP) feel that their organizations are immune to gigantic data breaches like the one that hospital giant Community Health Systems experienced recently (where some 4.5 million patient records were compromised). But no organization is impervious to data breaches, including GHPs.  In fact, 18 GHPs have reported breaches affecting over 52,000 employees just this year alone.

Data breaches affect over 31 million Americans.



On the Department of Health and Human Services’ online “Wall of Shame” you’ll find the names of hundreds of organizations responsible for data breaches affecting over 31 million Americans.

Yet only about 6% of the breaches listed are due to hacking.The other 94% are caused by an organization’s own employees or its many business associates (BAs). Most breaches are due to simple human errors: stolen or lost unencrypted laptops, improper disposal of paper, mailings to wrong addresses, uploads to public websites, etc.

For example, TSYS Employee Health Plan experienced a significant breach when its benefits business associate hired someone from a temp agency who stole the medical records of more than 5,000 current and former employees and their families.

Organizations responsible for a breach now get much more than a slap on the wrist. The costs can total millions of dollars when you factor in forensics, notification, legal fees, regulatory penalties, class action lawsuits and lost business due to a tarnished reputation.

Group Health Plans have high HIPAA requirements

GHPs have even more HIPAA requirements than do other covered entities because of their relationship with the employer, who is typically the sponsor of the plan.

HIPAA requirements incorporate more stringent rules required by ERISA to ensure that employment decisions are not made based on an employee’s health information. Those requirements can include restriction of PHI usage and disclosures, amending of plan documents and Notice of Privacy Practices, and adequate separation between the GHP and the plan sponsor.

Under the Omnibus Final Rule, a GHP is now accountable for ensuring the confidentiality and integrity of the patient data entrusted to its numerous BAs who handle services like eligibility, enrollment, claims processing and appeals, and auditing functions.

Every GHP is now required to have updated BA agreements in place for all service providers with access to PHI.  These agreements must include provisions that impose on BAs the same restrictions on use and disclosure of PHI that apply to the plan sponsor – and require corresponding restrictions on any of their downstream subcontractors.

Here are some ways that a GHP can improve its data security program:

Keep fine-tuning your policies – The services that Benefits employees are providing for your GHP may change frequently, so you need to stay on top of updating corresponding policies and procedures. All GHP employees and BAs need to know exactly what’s required and what is prohibited. For example, let them know that “snooping” (where employees pry into the files of co-workers or senior management) is completely off-limits.

Don’t rely on a humdrum HIPAA PowerPoint – If the only education tool you’re using is a brief HIPAA overview for new hires, you’re missing the point. Employees need to understand how HIPAA regulations relate specifically to their job responsibilities and how to handle situations involving requests for access, complaints, or reporting suspected or confirmed violations.

Conduct a HIPAA security risk analysis

The HIPAA Security Rule requires that you conduct a bona fide security risk analysis to identify all current threats, vulnerabilities, safeguards and controls associated with all assets that receive, create, maintain or transmit PHI – and to mitigate those assets that pose a high risk for a breach.

Build better BA relationships – Identify and document the contact information of the compliance officers of your BAs. Ensure that all your BAs have signed up-to-date BA agreements incorporating the requirements of the Omnibus Final Rule.  Risk-rate your BAs to determine your highest exposure areas in terms of the data they have, the services they provide, and the likelihood and impact of a breach.

Implementing measures like these will strengthen a GHP’s HIPAA compliance program – and help ensure that the organization doesn’t add its name to the Wall of Shame.

This article was originally featured in Payers & Providers 

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.