Industry Insights

August 11, 2014

Group Health Plans Face Greater Scrutiny for Security Violations

Group Health Plans Face Greater Scrutiny for Security Violations
by Nashville Health Care Council | Aug 11, 2014
Mary A. Chaput, MBA, HCISPP, CIPP/US, CIPM, CFO and chief compliance officer, Clearwater Compliance


On the Department of Health and Human Services website, there’s a page that’s been dubbed the “Wall of Shame” featuring a list of all the organizations that have had a breach of 500 or more Protected Health Information (PHI) records.

At this web address, you’ll find the names of over 1,000 large and small health care organizations responsible for breaches of the PHI of almost 32 million Americans. Yet only about 6% of the breaches listed are due to IT incidents or hacking. The other 94% are caused by employees, yours or those of your many business associates (BAs). Most breaches are caused by simple human errors: lost or stolen laptops with unencrypted data, improper disposal of paper, uploads to public websites, etc.

The penalties for HIPAA violations and data breaches can run into the millions of dollars when you add up forensics, notification costs, legal fees, regulatory penalties, class action lawsuits, and lost business due to reputational damage. A single HIPAA violation involving willful neglect used to carry a maximum penalty of $25,000; now it’s a staggering $1.5 million. And don’t forget: a single data breach usually involves multiple HIPAA violations.

Group Health Plans Especially Vulnerable

While other covered entities have fairly clear-cut responsibilities under the ever-evolving HIPAA regulations, it’s a bit trickier for group health plans (GHPs).

Due to the sensitivity of employer access to employee health information and concern that it might be used in employment decisions, GHPs have additional HIPAA requirements related to the access and disclosure of member PHI.

Here are some ways that a GHP can reduce its exposure to HIPAA violations and data breaches:

Know your requirements – The activities of the GHP and the type of PHI accessed by GHP employees drive the applicability of some of the Security and Privacy Rule regulations. Make sure you don’t underestimate what requirements apply to your GHP.

Clarify policies and procedures – It’s critical to document policies and procedures that cover all applicable regulations – and specifically prohibit activities like snooping into health records, which can be a temptation for GHP employees checking up on colleagues or company officers.

Implement a comprehensive training program – Don’t rely on a 30-minute online general HIPAA training course alone. Employees need to understand how the HIPAA regulations relate specifically to their job responsibilities and how to handle situations involving requests for access or reporting suspected or confirmed violations.

Complete a HIPAA security risk analysis – The HIPAA Security Rule requires that you conduct a bona fide security risk analysis to identify all current threats, vulnerabilities, safeguards and controls associated with assets that receive, create, maintain or transmit PHI.

Strengthen your Business Associate relationships – Ensure that all your BAs have signed up-to-date BA agreements incorporating the requirements of the Omnibus Final Rule.  Risk-rate your BAs to determine your highest exposure areas in terms of the data they have, the services they provide and the likelihood and impact of a breach.

Fourteen GHPs are on the HHS Wall of Shame for breaching the records of almost 45,000 employees – and ten of those breaches were caused by the GHPs’ business associates. You can reduce the risk of your GHP’s name being added to the list by taking these recommended steps.

Back to News

Purpose Statement

We exist to strengthen and elevate Nashville as the Healthcare City.

View Purpose