Employers are responsible for safeguarding protected health information (PHI) associated with their medical plans. And, given the inherently sensitive nature of this information and its natural appeal to cyber criminals, employers need to be aware of HIPAA privacy and data security requirements.
The final HIPAA privacy rules regarding medical records and ongoing migration to electronic record-keeping make business associates directly liable for their mishandling of PHI. Employers may enter into agreements with business associates, which are third-parties that may hold, view, handle, and release PHI. The use of PHI is subject to the terms of business associate agreements (BAAs). These new rules require employers and all business associates to take a more proactive stance. The BAA is now only a baseline requirement, and the existence of a BAA no longer insulates employers from liability for the failures of a business associate. Therefore, employers will need to actively require vendors to certify that their privacy and security measures are appropriate, so that plan sponsors are not liable if vendors’ systems are not adequate. Additionally, the employer must conduct adequate due diligence that a vendor’s privacy and security measures meet HIPAA’s requirements and verify compliance with the terms of the BAA. A failure to comply with the foregoing can result in substantial financial and reputation harm.
|This post was part of our SPOTLIGHT ON CYBER: Is Any Industry Safe?, published June 25, 2013. The feature also included these other risks:|