Home > Information > latest Capital Checkup > Back Issues > Capital Checkup

April 22, 2008

 

MULTIEMPLOYER HEALTH PLANS MUST BE VIGILANT ABOUT HIPAA SECURITY COMPLIANCE

The Centers for Medicare & Medicaid Services (CMS) has begun to focus on enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by hiring an outside contractor to conduct a number of onsite compliance investigations and reviews this year. This follows on the heels of last year’s HIPAA security compliance audit initiated by the Office of Inspector General of the Department of Health and Human Services. Both developments — along with all-too-common news accounts of security breaches — serve as good reminders of the need for multiemployer health plans to review their ongoing efforts to comply with the Security Rule.

 

Background

The compliance deadline for the HIPAA Security Rule was three years ago: April 2005 for most health plans. (Small health plans had an additional year, until April 2006, to comply.) Prompted by that deadline, many plan sponsors completed their required HIPAA security risk assessments in 2005, and then made security-related modifications to their systems or operations. While they may have completed their first round of efforts, of all the HIPAA rules, HIPAA security compliance probably requires the most ongoing vigilance, as new threats to electronic protected health information (ePHI) rise to the forefront and new ways to guard against those threats become available. For example, growing concern about stolen laptops and other portable or remote access devices led CMS to issue explicit guidance on how plans should address the threat to ePHI posed by such devices.1

 

Security Rule Requires Periodic Assessments and Other Ongoing Activities

The HIPAA Security Rule itself recognizes this need for ongoing vigilance by explicitly requiring sponsors of health plans to:2

  • Perform a periodic reassessment of threats and vulnerabilities in response to environmental or operational changes affecting the security of ePHI.
  • Regularly review information system activity (e.g., audit logs, access reports and security incident tracking reports).
  • Provide fund office staff with periodic security updates as part of the plan’s security training efforts.
  • Test and revise contingency plans.
  • Review security-related documentation, including policies and procedures, periodically and update them, as needed, in response to environmental or operational changes.

Many other Security Rule requirements necessitate ongoing efforts as well. For example, if a health plan has a security incident, the plan sponsor will need to actively respond to that incident, take steps to mitigate harmful effects of the incident, and document the incident and outcome. In addition, as new employees are hired, clearance procedures, access authorization procedures, and training requirements will all need to be met with respect to that new employee. Similarly, as relationships with new vendors or service providers are established, new HIPAA-compliant information exchange processes (e.g., a secure Web interface) and business associate agreements will be required.

 

Recent Enforcement Efforts

As mentioned above, CMS will rely on an outside contractor to conduct security compliance investigations and reviews of health care organizations in fiscal year 2008. According to CMS, compliance investigations will focus on covered entities with pending complaints filed against them, while compliance reviews will arise from non-complaint sources such as media reports. CMS has not identified specific targets by name, type of covered entity or location. As part of that compliance investigation/review process, CMS recently published a sample — but fairly comprehensive — list of personnel that may be interviewed and documents that may be requested.3 Among other items, the list calls for the “most recent” risk analysis, implying that there is likely to be more than one by this time.

 

Steps for Health Plan Sponsors

Health plan sponsors should first review and complete all the appropriate remediation steps outlined in their initial HIPAA security risk assessment. The purpose of that initial assessment was to set out a roadmap towards compliance. As a result, if any action items are outstanding, the plan sponsor should address those security gaps immediately.

In addition, now that a few years have passed since the initial assessment was required to be completed, plans should determine whether operational or environmental changes, like the following, may warrant a new assessment:

  • Addition of a new server,
  • Change in other hardware,
  • Change in service provider and resulting change in how data is handled and transferred, and/or
  • Significant fund office staff turnover or new hires.

How in depth a new assessment should be will depend on the circumstances, including how vigilant the plan has been all along in monitoring developments and updating systems and operations as needed. As part of that re-assessment, consideration must be given to whether modifications to policies and procedures are required.

If they have not done so already, plan sponsors should also review their remote access policies in light of the widespread use of remote access devices and the fairly recent CMS guidance focusing on those devices. The first step is to determine if there is a business case for permitting remote access to ePHI using laptops or any other portable/remote access devices. If there is a legitimate business need, risk analysis and risk management will need to drive the development of policies and procedures. Training of staff who handle ePHI will clearly be required in order to minimize the risk of human error and/or lack of awareness causing a security incident.

Remote access policies should be just one of the topics covered in ongoing security training. No matter how sophisticated a plan’s security safeguards are, they will only be effective if those who implement those safeguards and handle ePHI are adequately trained to adhere to the plan’s stated policies and procedures.

        

As with all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for authoritative advice on HIPAA. The Segal Company can be retained to work with plan sponsors and their attorneys on HIPAA compliance. In addition, Segal’s Administration and Technology Consulting (ATC) Practice can be retained to assist trustees and fund office staff of multiemployer health plans in developing and reviewing their remote access policies. To discuss a review of your HIPAA security procedures, contact one of the following ATC consultants:

 

1 To read more about the CMS guidance on remote access to ePHI, see The Segal Company’s March 2007 Bulletin, “Multiemployer Funds and Remote Access to ePHI: New HIPAA Security Rule Guidance.” To read the guidance, click here. (To return to the Capital Checkup text, click here.)
   
2 Two of these items (security updates and testing/revision of contingency plans) are “addressable” implementation specifications. As a result, some plans may have chosen to adopt somewhat different but equivalent compliance measures. (To return to the Capital Checkup text, click here.)
   
3 To read the interview and document request, click here. (To return to the Capital Checkup text, click here.)
   

 

Capital Checkup is The Segal Company's periodic electronic newsletter summarizing activity with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice. For back issues of Capital Checkup, click here.

Back to Top