HIPAA Privacy and Security Obligations during COVID-19  

Maintaining your organizational wellbeing during the unprecedented COVID-19 pandemic requires a broad view of the factors that impact your ability to achieve your business objectives while supporting the personal wellbeing of your employees. However, even during challenging times, employers have to tend to regular employee benefits-related responsibilities, including meeting Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security obligations, which can be particularly challenging with the continued presence of a remote workforce. As sponsors of employer-provided health plans, including medical, dental, vision, health flexible spending account, and similar benefits, employers must dedicate part of their workforce to take on the responsibility of HIPAA Privacy and Security compliance on behalf of their health plans. Below, we highlight some important considerations for employers as they strive to maintain HIPAA Privacy and Security compliance in pandemic and post-pandemic workplaces.

Administer. Receive. Train.
Two key individuals play pivotal roles in HIPAA compliance on behalf of a health plan. The first of these is a HIPAA Privacy Officer. A HIPAA Privacy Officer is responsible for the development and implementation of a health plan's HIPAA Privacy policies and procedures. Such an individual is thus responsible for ensuring that both administrative processes and training are in place to safeguard protected health information (PHI), including complying with individual rights under HIPAA, meeting minimum necessary standards, and responding to potential breaches. In addition, the HIPAA Privacy Officer may also serve as the contact to receive complaints and provide the information outlined in a health plan's Notice of Privacy Practices. Privacy Officers with HIPAA workforce members working remotely should assess what changes, if any, should be made to existing HIPAA policies and procedures to protect PHI that may be used or disclosed outside of the regular workplace. What additional steps should your HIPAA Privacy Officer take to ensure that the HIPAA Privacy standards for your health plan are met?

Designate. Oversee. Safeguard.
A second key individual is a HIPAA Security Officer. The HIPAA Security Officer is responsible for developing and implementing an employer-sponsored health plan's Security policies and procedures. Because the Security Rule applies only to electronic PHI (ePHI), a Security Officer is typically an individual with an IT or Information Security background. Regardless of that individual's background, the Security Officer is responsible for ensuring that an organization follows administrative, technical, and physical safeguards to protect ePHI. Those safeguards range from conducting periodic Risk Analyses and Evaluations to monitoring system activity where ePHI exists in the organization's information system to overseeing training of HIPAA workforce members on password protection, protection against malicious software, and login monitoring. Often, an organization has existing security safeguards in place on an enterprise-wide basis that simply need to be documented on behalf of the health plan and amplified with policies and procedures that are unique to HIPAA, such as appointing a Security Officer and completing an Evaluation. Security Officers should work with their health plan's Privacy Officers to determine whether any additional electronic safeguards are needed — particularly if HIPAA workforce members continue to work remotely or new risks arise in the tide of the pandemic. What additional safeguards, if any, should your HIPAA Security Officer implement to protect ePHI?

Follow. Review. Update.
Written HIPAA Privacy and Security policies and procedures are critical to any covered entity's HIPAA compliance. Privacy policies and procedures are intended to address PHI in any form — oral, written, or electronic — and focus on processes related to required and permissible uses and disclosures of PHI, using the minimum necessary PHI to accomplish a task, providing a Notice of Privacy Practices, handling individual rights (such as the right to access), and meeting other administrative requirements. Security policies and procedures are intended to protect the confidentiality, integrity, and availability of ePHI, and include administrative, technical, and physical safeguards. Such safeguards include criminal background checks for HIPAA workforce members, encryption of data at rest and in transit, and auditing software. Periodically, those policies and procedures should be reviewed to determine whether circumstances have changed, necessitating a change in policies and procedures and whether security safeguards are sufficient to protect ePHI. When did your organization last review your health plan's Privacy and Security policies and procedures to determine whether updates or changes are needed?

Train. Refresh. Retrain.
In addition to maintaining written policies and procedures, it is important for a covered entity to follow those policies and procedures, but it is difficult for workforce members to follow any policies and procedures without training. Thus, it is essential (and indeed required by both the Privacy and Security Rules) for HIPAA workforce members to undergo training. Training should occur on two bases. First, newly hired individuals should be trained within a reasonable period of time after hire. Although the regulations do not specifically indicate how long that reasonable period of time is, the Department of Health and Human Services (HHS) has often used 30 days when entering into Compliance Resolution Agreements with non-compliant organizations. Second, HIPAA workforce members should receive periodic refresher training. The regulations do not specify how often refresher training should occur, but if an organization has an incident indicating that workforce members need additional information on processes or a change in policies and procedures occurs, then refresher training is in order. Additionally, some organizations provide refresher training on an annual basis. As a rule of thumb, organizations should provide refresher training at least every other year or every three years, and whenever a substantial security threat arises. Recently, organizations have experienced increased threats to their ePHI — particularly organizations that have deployed their human resources and benefits personnel to work remotely. Thus, additional training may be in order to respond to heightened electronic security threats. How can you refresh your HIPAA training program?

Respond. Mitigate. Resolve.
For any organization with an information system, whether a security incident occurs is not a matter of IF, but WHEN. Under HIPAA, a security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. HIPAA's security incident procedures standard requires a covered entity to implement policies and procedures to address security incidents. In addition, a covered entity must identify and respond to suspected or known security incidents, mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. Often, organizations will either lack security incident policies and procedures, or their policies and procedures will be developed without consideration of PHI. What steps has your organization taken to include PHI in its security incident response plan?

This is a preview edition of Priorities and Perspectives, a monthly publication produced by Gallagher's Compliance Consulting Practice. For five more action steps to help you focus your compliance efforts in 2020, contact your Gallagher representative or visit our Compliance Resources page for the full version of this month's edition.


Compliance is a series of actions, not a final destination. As a trusted advisor, Gallagher has developed this Priorities and Perspectives series to help you pursue a path through employee benefits compliance issues as part of an overall continuing compliance plan. Employers should carefully evaluate their health and welfare plans to determine if they are in compliance with both federal and state law. If you have any questions about one or more of the compliance requirements listed above, or would like additional information on how Gallagher constantly monitors laws and regulations impacting employee benefits in order to support employers in their compliance efforts, please contact your Gallagher representative.


The intent of this analysis is to provide you with general information. It does not necessarily fully address all your organization's specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues should be addressed by your organization's general counsel or an attorney who specializes in this practice area.