Proposed regulations may require employers to invest additional resources to safeguard group health plan participants’ protected health information.

In this installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we will explore the impact the NPRM could have for sponsors of group health plans.

As HIPAA-covered entities, group health plans that share protected health information (PHI) with employer plan sponsors must already include provisions in the plan documents reflecting the plan sponsors’ obligations to:

• Establish and maintain administrative, physical, and technical safeguards to ensure ePHI confidentiality, integrity, and availability;
• Limit access to ePHI to only authorized members of the plan sponsor’s workforce;
• Require agents of the plan to establish reasonable and adequate security measures to protect ePHI; and
• Report to the group health plan any security incident.

What’s New for Group Health Plans and Plan Sponsors?

So, what’s new in the NPRM? First, HHS proposes that group health plan documents tie the establishment of safeguards by plan sponsors and plan agents expressly to the corresponding provisions that apply to covered entities and business associates. In addition, new plan document language would specifically refer to the kind of contingency plan that is required to be established and maintained by covered entities and to report to the group health plan when the contingency plan is activated by a security incident. The NPRM would require plan documents to provide that plan sponsors will report to plans “without unreasonable delay” but not later than 24 hours after activation of its contingency plan in response to a real or suspected data security incident. (This specific reference to contingency plans is in addition to the existing requirement to report to the group health plan any security incident of which the plan sponsor becomes aware.)

While the NPRM may ignore the reality that plan sponsors are already largely responsible for the HIPAA compliance of their group health plans, including maintaining adequate policies and procedures, the proposed provisions would require existing plan documents to be amended to reflect the new language and references embedded in the applicable NPRM provisions. As a practical matter, however, it remains to be seen whether, if finalized, the NPRM would require new policies and procedures that diligent plan sponsors do not already have in place as part of an effective HIPAA compliance framework on behalf of its group health plans.

HHS has requested comments as to an appropriate deadline for group health plan documents to be amended as described by the NPRM and whether to permit a transition period for existing plan documents (such a transition period is proposed in the NPRM for business associate agreement changes that are required by the NPRM). Group health plan sponsors should also be aware of the proposed changes to business associate agreements described in our earlier post in the series.

Next Time

In our next two posts in this series, we will summarize what to expect from the NPRM’s proposed changes to the HIPAA Security Rule’s technical and administrative safeguards­. In particular, we will discuss the revised rule’s provisions concerning encryption and multi-factor authentication (MFA), as well as administrative controls such as asset inventory, workforce clearance, access management, and more.