Preview of May Compliance Guide: HIPAA Privacy and Security

Published on

As many employers sponsoring health plans have discovered, Privacy and Security compliance under the Health Insurance Portability and Accountability Act (“HIPAA”) is an ongoing activity and not a static, one-time event. Although the Privacy and Security Rules became effective over ten years ago, many employers do not have an active program in place. Plan sponsors can set the right course for an effective program with attention to several critical activities beyond having written policies and procedures, and conducting new employee and periodic training. In particular, plans should respond to safeguards and procedures highlighted by the Department of Health and Human Services (“HHS”) in its audit protocol and recent Compliance Resolution Agreement corrective actions.

Employers committed to becoming destination workplaces must keep pace with evolving legislative and regulatory initiatives that may pose risks to meeting cost targets, developing strategic benefits and compensation programs, and attracting and retaining top talent. As a trusted advisor, Arthur J. Gallagher & Co. will help you navigate the ever-changing landscape of employee benefits compliance issues. Check out the action items below for some critical checkpoints in developing a strong HIPAA Privacy and Security program.

1. Conduct a periodic review of your HIPAA workforce membership job duties.

Plans must periodically assess whether HIPAA workforce members’ written job descriptions include the protected health information (“PHI”) access level that they should have. Further, a plan’s Privacy and Security Officers should periodically confer to determine whether appropriate access is enforced technologically. For example, a HIPAA workforce member who only works with the plan’s dental benefits should not be able to access information about the plan’s medical benefits on a shared drive folder or elsewhere on an information system. Further, access levels should be documented and available for review in the event of an HHS audit. When did you last review your HIPAA workforce members’ written job descriptions and compare their identified duties to their level of access to PHI?

2. Watch for signs of inappropriate system activity.

System activity review is an often-overlooked but required safeguard under the Security Rule. This requirement is intended to engage plans in an ongoing review of who has access to electronic PHI (“ePHI”). This typically requires a plan to implement audit mechanisms to record and examine information system activity (e.g., who accessed a file and when). Some organizations have software that automatically scans information system activity. Other organizations have programs that only flag activity outside of the normal range of activity, such as accessing ePHI during non-business hours or an employee’s time off (e.g., on a leave of absence), or accessing an abnormally high number of records containing ePHI. Plans are not necessarily required to keep the actual system activity logs, but must have documentation that logs are periodically reviewed. Have you established a documented system activity review program for access to ePHI?

3. Don’t take risks on Risk Analyses.

Under the HIPAA Security Rule, a plan must periodically conduct a Risk Analysis. A Security Risk Analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of a plan’s ePHI. The analysis seeks answers to questions such as: What ePHI does your organization create, receive, transmit or retain? What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI? What are the human, natural, and environmental threats to information systems that contain ePHI? Although HIPAA does not specify when a Risk Analysis should be conducted, it is a best practice to conduct one every two to three years, or whenever a change in business operations or environment impacts your employer-sponsored health plan. When did you last undergo a Security Risk Analysis for your health plan?

4. Take the wheel with added benefits from cyber liability coverage.

With the current level of cyberattack activity, the question is not if, but when a cyberattack will occur. For that reason, organizations should consider adding cyber liability insurance coverage to their mitigation efforts for handling electronic breaches of private information such as ePHI. Not only can cyber liability insurance defray some of the costs associated with an electronic breach, but such coverage may also have added benefits. One such benefit may be a breach coach, typically an attorney who guides your organization through the breach response process and seeks to limit the organization’s legal exposure. In addition, insurers may be able to provide referrals for a range of service providers including forensics experts, data breach notification processors, legal counsel, and public relations firms, often available at a pre-negotiated, discounted rate. In crises, having access to such services can significantly decrease the impact of a breach. Have you included cyber liability coverage as part of your breach response plan?

5. Ride alongside your Business Associates.

HIPAA generally requires that plans and their Business Associates enter into agreements with promises that the Business Associates will appropriately safeguard PHI. However, plans may overlook certain organizations such as cloud service providers, benefit statement vendors, off-site storage providers, and other vendors whose activities on behalf of a plan may not readily come to mind when identifying Business Associates. Therefore, a good practice is to map out the flow of PHI within and through an organization with identification of which parties — both internal and external — touch PHI. That can help a plan to develop a more thorough understanding of the identity of its Business Associates to ensure that it has agreements with all of the appropriate parties. Have you mapped out which external parties have a role in creating, receiving, or maintaining PHI on behalf of your plan?

And five more potential roadblocks to HIPAA compliance, available in the full version of the May Compliance Guide. To get the full version of the Compliance Guide, or additional information on how Gallagher constantly monitors laws and regulations impacting employee benefits and supports employers in their compliance efforts, please contact your Gallagher Benefit Services representative or contact us online.


Compliance is a journey, not a destination.

As a trusted advisor, Arthur J. Gallagher & Co. has developed this Compliance Guide series to help you map a path through employee benefits compliance issues as part of an overall compliance plan. Employers should carefully evaluate their health and welfare plans to determine if they are in compliance with both federal and state law. If you have any questions about one or more of the compliance destinations listed above, or would like additional information on how Gallagher constantly monitors laws and regulations impacting employee benefits in order to support employers in their compliance efforts, please contact your Gallagher Benefit Services representative.


The intent of this analysis is to provide you with general information. It does not necessarily fully address all your organization’s specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues should be addressed by your organization’s general counsel or an attorney who specializes in this practice area.