chevron-down Created with Sketch Beta.

ARTICLE

Health and Welfare Plan Stakeholders Beware: Federal and State Data Breach Notification Laws Pose Systemic Risk to Your Enterprise

Elizabeth Lapaugh

Summary

  • Overviews breach notification requirements under HIPAA, SEC rules, FTC's Health Breach Notification Rule, and a sample state law (New York).
  • Briefly discusses DOL's new cybersecurity guidance for GHPs.
  • Provides a few recommendations for reducing the risk from a data breach.
Health and Welfare Plan Stakeholders Beware: Federal and State Data Breach Notification Laws Pose Systemic Risk to Your Enterprise
Hiraman via Getty Imagess

Data breach accountability has become an enforcement priority for regulators across industries – including healthcare delivery. Group health plans, plan sponsors, insurers, and service providers must know their obligations under federal and state breach notification laws and have strategies in place now to ensure timely compliance.

Compliance may not be as simple as a regulated entity may expect. Data breach regulation is decentralized. No federal law effectively preempts application of all state law responsibilities. Moreover, distinct federal or state breach laws apply to various components of a regulated entity’s enterprise. A high level summary of key federal breach notification rules and an overview of New York’s requirements follow.

Health Insurance Portability and Accountability Act (“HIPAA”) Breach Notification Rule

The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) enforces the HIPAA Breach Notification Rule against “covered entities,” which include a health plan, healthcare provider, or healthcare clearinghouse. Covered entities may delegate their breach reporting obligations to service providers that are business associates via a business associate agreement.

Not every security incident is a reportable HIPAA breach. The HIPAA breach rules only apply to unsecured protected health information (“PHI”). PHI is individually identifiable information, relating to the past, present, or future provision or payment of healthcare to an individual, that is held by a covered entity or a business associate. Therefore, secured PHI (e.g., encrypted under HIPAA standards) or de-identified PHI is not subject to the HIPAA breach rules. However, more protective state breach laws may cover such information.

HIPAA provides four factors to be considered when evaluating whether an incident is a reportable breach: (1) the nature and extent of PHI involved (including the likelihood of re-identification); (2) the unauthorized person who accessed the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which risk to the PHI was mitigated. If the covered entity determines a HIPAA breach occurred, it must notify impacted individuals within sixty days of discovery, and, if the breach involves more than 500 residents in a state or jurisdiction, it must also notify the media within this timeframe. If a breach involves 500 or more individuals, the covered entity must notify the OCR within this same day timeframe, but, if less than 500 individuals were impacted, may file an annual report with the OCR. Additionally, business associates must report a breach to a covered entity within sixty days of discovery.

Securities and Exchange Commission (“SEC”) Cybersecurity Disclosure Rule

Effective December 18, 2023, publicly traded companies must file an “Item 1.05” on the Form 8-K in the SEC’s online database, EDGAR, within four business days of discovery of a “material” cybersecurity incident, regardless of whether HIPAA is applicable. The SEC explained a breach is considered “material” if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision. When making a materiality determination, regulated companies should weigh qualitative and quantitative factors, including the possibility of litigation or regulatory investigations.

The information reported in Item 1.05 should focus on the breach’s impact, rather than provide incident details in order to avoid empowering threat actors with actionable information that could harm the company or investors.

Breach reporting may be delayed if disclosure would pose a substantial risk to national security or public safety, contingent on a written notification by the United States Attorney General. A company must also amend its initial filing of the Form 8-K within four business days if it discovers information impacting the materiality of the reported cybersecurity incident.

Effective fiscal years ending on or after December 15, 2023, regulated companies must also submit an annual cybersecurity disclosure (Item 106 on Form-10k for domestic companies). A company must describe its cybersecurity risk management and strategy; the material effects (or reasonably likely material effects) of cybersecurity threats; management’s role and expertise in assessing and managing material risks from cybersecurity threats; and the board of directors’ oversight over cybersecurity risks.

Federal Trade Commission (“FTC”) Health Breach Notification Rule

Federal Trade Commission Act section 5 prohibits unfair or deceptive acts or practices in or affecting commerce. Under the American Recovery and Reinvestment Act of 2009, the FTC has enforced this prohibition against entities holding individually identifiable health information in a personal health record (“PHR”) that are not subject to HIPAA.

A PHR is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual. The FTC established data breach notification requirements that apply to PHR vendors, PHR related entities, and third party service providers. The FTC requires regulated entities to provide notification of a security breach, that being when unsecured (e.g., not encrypted) identifiable health information in a PHR is disclosed as a result of a data breach or a disclosure unauthorized by the individual.

The FTC’s breach reporting timelines mirror those applicable to covered entities under HIPAA. PHR vendors and PHR related entities must notify individuals and, in certain cases, the media if there’s been a security breach within sixty calendar days of discovery. The FTC must also be notified within this timeframe if more than 500 individuals were impacted. For breaches involving less than 500 individuals, the FTC may be notified via an annual report. Additionally, third party service providers must notify PHR vendors or PHR related entities of a security breach.

The Department of Labor (“DOL”) Recognizes Breach Risks for Group Health Plans via Guidance

On September 6, 2024, the DOL released guidance calling on group health plan fiduciaries to mitigate cybersecurity risks. The DOL explained that group health plans are attractive targets for cybersecurity attacks as they hold sizeable assets and personally identifiable information, including sensitive data. The DOL noted that this guidance is an overview of cybersecurity best practices that plan fiduciaries should consider when making prudent decisions as to service provider selection. The DOL indicated a formal cybersecurity program should be in place, which should include (in part) annual risk assessments, third-party audits, clearly delineated security roles and responsibilities for service providers, cybersecurity training for all employees, and effective security measures (e.g., set incident response procedures).

While this guidance does not mandate adoption of particular protocols, stakeholders are now on notice that cybersecurity practices of group health plans and their service providers are an area of concern for the Department. Plan sponsors and service providers should be prepared to address potential questions about their plan-related cybersecurity measures in the event of a DOL audit.

State Breach Laws

In addition to the above federal requirements, entities involved in healthcare delivery should be aware of applicable state data breach laws.

While insurers and vendors may be accustomed to state law compliance challenges, group health plans enjoy the benefit of Employee Retirement Income Security Act (“ERISA”) preemption from many otherwise applicable state and local requirements. Although an unsettled issue, it is unlikely that group health plans could rely upon ERISA to preempt state data breach notification laws. ERISA preempts “any and all State laws insofar as they may now or hereafter relate to any [ERISA] employee benefit plan,” with limited exceptions. State data breach notification laws, generally, apply to entities doing business in the state or entities holding state residents’ personally identifiable information. Therefore, these laws are typically generally applicable and do not “relate to” an ERISA plan. For example, in the privacy law context, a circuit court held ERISA did not preempt a participant's invasion of privacy tort claim when an insurer investigated his employment status since ERISA offers no remedy for such claim.

Additionally, HIPAA only preempts state law that is “contrary to” HIPAA, which means that a covered entity or business associate would find it “impossible to comply” with both the federal and state law or where the state law is an “obstacle to the accomplishment” of HIPAA. Therefore, HIPAA is often seen as a “federal floor.” If a state law is more stringent, but it is possible to comply with both the state law and HIPAA, the state law will still apply.

Example: New York State Data Breach Notification Law

Many states have a breach reporting rule similar to the HIPAA breach rules. For instance, New York requires a “person or business” to report a breach where “private information” of a New York resident is reasonably believed to have been accessed or acquired without valid authorization.

The New York breach law defines “private information” as personal information (i.e., possesses some form of identifier), not lawfully available to the public, in combination with certain data elements (such as a social security number, among others). The law is triggered when unauthorized access to computerized data occurs that compromises the confidentiality or integrity of the private information of a New York resident held by any person or business that owns or licenses such data. Regulated entities also have some leeway to determine whether the unauthorized disclosure of private information is reportable. Notably, a regulated entity must report the breach “in the most expedient time possible and without unreasonable delay” to impacted individuals and certain state authorities.

While many states have this type of breach reporting requirement for certain types of information, New York law goes a step further and requires reporting to the New York Attorney General if a HIPAA covered entity experiences a reportable HIPAA breach, regardless of whether the information breached is considered “private information” under New York law. The HIPAA breach must be reported to the New York Attorney General within five business days of notifying the HHS Secretary of the HIPAA breach.

Next Steps for Regulated Entities

Regulators are catching up to today’s technology. Data breach notification laws reflect regulators’ appreciation of the danger data leaks pose to consumers – particularly when sensitive information is exposed. There is no silver bullet to eliminate data breach risk. Regulated entities must be aware of their duties under applicable breach laws and have the systemic structures in place to both mitigate the risk of a breach’s occurrence as well as their enterprise’s exposure if a breach ensues. To that end, regulated entities may consider employing the below practices in order to be better positioned to manage a data breach.

Monitor Applicable Law

In addition to federal breach notification rules, all fifty states have enacted some form of data breach notification law. Staying apprised of the laws triggered by a particular breach, coincident reporting and notification deadlines, and differing standards for a reportable breach presents a compliance challenge in of itself. Regulated entities need a knowledgeable team in place tracking these laws. If an entity does not have the capacity to monitor data breach laws in-house, it should consider engaging counsel or consultants.

Perform Contract Due Diligence Now

A regulated entity should have contractual measures in place that establish the entity’s and its vendors’ (and subcontractors’) responsibilities when managing a potential data breach. Regulated entities should review existing contracts, contract templates, and agreements currently under negotiation to determine if cybersecurity practices and data breach cooperation measures, including which party provides or pays for notifications, are sufficiently addressed.

Establish an Incident Response Policy

Preparedness is essential to effective management of a data breach. If a breach occurs, a regulated entity should already have in place a policy establishing its next steps. An incident response policy will establish standardized procedures for investigating, mitigating, and adhering to applicable reporting and/or notification requirements. The incident response policy should account for the unique obligations and timelines under applicable breach notification laws. The policy should contemplate cross-communication across a regulated entity’s enterprise. Coordinated response and information sharing within an enterprise may be needed to effectively handle a breach (e.g., the SEC rules may be triggered as well as FTC rules, involving different personnel and expertise).

Review Cybersecurity and Data Management Practices

A regulated entity should evaluate the adequacy of its cybersecurity and data management practices against industry best practices (e.g., the National Institute of Standards and Technology’s Cybersecurity Framework) or applicable guidance.

More data is not always better. A regulated entity should also understand what data it collects. If personally identifiable or sensitive data is collected and such data does not produce value to the business, the entity may wish to consider ceasing collection to minimize unnecessary risk. A regulated entity should further keep in mind to whom the data pertains. As discussed above, certain state breach notification laws may be triggered when the data held pertains to an in-state resident. Data retention practices should be established or reviewed. Regulated entities should be aware of any legal obligations to store certain data for a particular duration as well as the appropriate procedures for data disposal.

    Author