Q. Our client has a medical expense reimbursement plan (MERP) with Nonstop Health. The carrier that administers the MERP may have had a data breach. The group received the message: “Based on our review of the addresses where notices were mailed to the individuals from your organization who were potentially impacted, we are advised you may have a notice obligation to the Office of Civil Rights at the U.S. Department of Health and Human Services (HHS). This may be the case if your organization is a “Covered Entity” pursuant to HIPAA. Generally speaking, you may be a covered entity if your organization administers a self-funded health plan. While we provide this information for your convenience, we ask that you to consult your own legal counsel to confirm your potential legal obligations in this matter. Upon your confirmation of your organization’s status as a Covered Entity pursuant to HIPAA, we will draft a HHS notice for your approval and then submit on your behalf. If you determine that Nonstop should notify HHS on your organization’s behalf, please confirm the appropriate contact name, phone number, and email address for a representative of your organization who can be listed on the HHS notice.” Can you please advise on this matter?
A. Your client is a covered entity if it sponsors a MERP. As a result, your client may have reporting obligations to impacted participants or HHS. However, it sounds like the breach occurred by the administrator of the MERP. Your client should have a Business Associate Agreement with the administrator. Your client should review the Business Associate Agreement to determine what steps the administrator is required to take in the event of a breach. They may be required to handle the breach reporting and breach assessment for your client.
Also, if your client has HIPAA Policies and Procedures, those should be reviewed to see what other steps your client is require to take.
Some good information on the HIPAA breach notification rules is available on the HHS website.
Responses to compliance questions provided by Kutak Rock.