Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required?

Answer:

Although a plan sponsor may not be a HIPAA covered entity subject to the Security Rule, it would nevertheless be obligated, through its plan documents, to report such security incidents to the group health plan. Specifically, the required implementation specification at § 164.314(b)(2)(iv) requires the plan documents of the group health plan to require the plan sponsor to “report to the group health plan any security incident of which it becomes aware.” (Note that in certain circumstances a group health plan may not be required to amend its plan documents. See § 164.314(b)(1).) The plan documents could serve as the vehicle to establish a plan sponsor’s specific reporting requirements and should be developed to meet the group health plan’s specific needs. The group health plan and its plan sponsor must document the specifics of the reporting, including the frequency, level of detail, format and other relevant considerations (e.g., in aggregate or per incident, weekly or monthly). In addressing this required implementation specification, a group health plan may consider some of the following questions: what specific actions would be considered security incidents; how will incidents be documented and reported; what information should be contained in the documentation; how often and to whom within the covered entity should incidents be reported; what are the appropriate responses to certain incidents; and whether identifying patterns of attempted security incidents is reasonable and appropriate. 

For example, in order to determine the detailed content of its plan documents, in taking into consideration the requirements of § 164.306(a) and (b) and its risk analysis, the group health plan may decide that certain types of attempted or successful security incidents or patterns of attempted or successful incidents, such as a “ping” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible) on the plan sponsor’s communications network initiated from an external source, could be reported to the group health plan in a monthly report that only includes an aggregate number of pings that month. Based on its analysis, the group health plan may also determine that other types of incidents, such as suspicious patterns of “pings” on the plan sponsor’s communications network initiated from an external source, or a specific malicious security incident, would require a detailed report to the group health plan as soon as the plan sponsor becomes aware of them.