The Health Insurance Portability and Accountability Act (HIPAA) requires group health plans and their business associates to conduct a security risk assessment (SRA). The federal government provides an SRA tool to help facilitate this required assessment which was recently updated to version 3.6.
Applies To:
- Employers sponsoring a level-funded or self-insured group health plan.
- Employers sponsoring a health reimbursement arrangement (HRA), including an individual coverage HRA (ICHRA) that reimburses more than premiums (unless it is a self-administered HRA with fewer than 50 eligible employees, covered retirees, and COBRA qualified beneficiaries).
- Employers sponsoring a health flexible spending account (unless it is a self-administered FSA with fewer than 50 eligible employees, covered retirees, and COBRA qualified beneficiaries).
- Employers sponsoring a fully insured health plan which provides the employer with protected health information (PHI), such as through a claims analytics data feed.
- Business associates of fully insured, level-funded, and self-insured health plans.
Go Deeper:
When the health plan is fully insured, typically the carrier handles compliance with HIPAA’s privacy and security rules. However, if PHI is shared with the employer (such as in a claims analytics data feed), the employer is also jointly liable to comply with HIPAA rules. Even without claims analytics, many employers with fully insured health plans also sponsor an HRA or health FSA which is not insured, and thus trigger the requirement to comply with HIPAA’s privacy and security requirements.
When the health plan is self-funded, the plan itself is the covered entity that is subject to HIPAA’s privacy and security rules. This generally means that the employer plan sponsor is obligated to meet HIPAA’s requirements since they have access to PHI by virtue of the self-funded nature of the plan.
An employer needing to run through the privacy and security requirements typically starts with designating a privacy official and a security official, and having that person or persons conduct an SRA. The results of that SRA then help the employer develop policies and procedures for handling and protecting PHI, implementing appropriate administrative, physical, and technical safeguards, and training employees handling PHI on all those policies, procedures, and safeguards.
The SRA Tool provided by the federal government is typically the starting place for an employer needing to conduct an SRA. While it is not guaranteed to fully address all requirements under HIPAA, federal, state, local, or international privacy laws, it serves as a solid starting place for addressing the HIPAA requirements.
Penalties for Non-Compliance
When a potential breach of PHI occurs, the federal government may conduct an investigation. When it finds an SRA was not conducted or was not updated when the employer’s plan or operating environment significantly changed, the employer can be subject to fines and penalties. A violation can also trigger litigation risk.
Practical Impact to Employers:
One major improvement to the SRA Tool is the ability to mark each section independently of others with the last date and name of the approver of that section. This may help employers better track whether the SRA has been completed in its entirety and when each section was last reviewed.
COMMENTS