Question: What do employers and James Bond Have in common?
Answer: Both have to combat Spectre.
However, the problem for employers is that in addition to fighting the new Spectre computer bug, employers must also combat the Meltdown computer bug. And, employers must do so in a way that complies with HIPAA. This blog will explain these cryptic references – and why James Bond may have an easier job than employers.
What are Spectre and Meltdown?
The tech world has been abuzz since the beginning of 2018 over two computer bugs – Spectre and Meltdown. These bugs create vulnerabilities that can allow hackers to access computer data, but (unlike more typical computer software vulnerabilities) these bugs pose a unique challenge – they occur as the result of the architecture of the computer’s central processing unit (CPU).
This means that the development and implementation of patches will be more difficult than usual. Indeed, as of the writing of this blog post there are no generally accepted patches. This also means that the bug affects a wide swathe of computers (all computers using Intel or ARM CPUs). And, when patches are developed, those patches may slow down computer speeds, creating an additional IT cost for these patches.
Corporate IT departments are scrambling to address the vulnerabilities created by Spectre and Meltdown and, generally, other parts of the organization are not active in the process of implementing fixes. But, there is an aspect of this situation that may require more active involvement of other parts of the organization (possibly including HR) and may even necessitate more active involvement in the responses of key vendors. This broader response may be triggered by the Health Insurance Portability and Accountability Act (HIPAA) and business associate agreements (BAAs) under HIPAA.
Regulations under HIPAA specify that:
• A health plan must “[i]mplement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits”.
• A covered entity (such as a health plan) “may permit a business associate to create, receive, maintain, or transmit electronic protected health information … only if the covered entity obtains satisfactory assurances … that the business associate will appropriately safeguard the information”.
Under this framework, an employer-sponsored health plan can share information with “business associates” (such as TPAs and benefit administration vendors) only if the business associate signs a written agreement (a business associate agreement or “BAA”) that provides assurances that the vendor will take steps to protect the confidentiality of participants’ health information. Generally, these BAAs are the subject of some negotiation when a vendor is initially retained; however, once the contract (and the BAA) are signed, the BAA is filed away and (largely) forgotten, unless a data breach triggers review of – and a possible claim under – the BAA.
But Spectre and Meltdown pose a special challenge: what is an employer’s role and responsibility in ensuring that business associates implement patches for Spectre and Meltdown?
Once the BAA is signed employers that sponsor HIPAA-covered health plans have, historically, taken business associates at their word – that these vendors will implement the contractual and legal commitments undertaken in the BAA. And, there is an appeal to this approach – upon executing the BAA the liability for a violation now rests with the vendor and more active monitoring of vendor activity poses its own challenges. However, this approach is increasingly risky:
• Vendor problems become plan problems very quickly. Once a vendor’s systems have been penetrated by malware, it is all too easy for the breach to then find its way to the employer (and to the employer’s plan). And, at that point, the employer and/or the plan now have a breach.
• A health plan is responsible for protecting “against any reasonably anticipated threats or hazards to the security or integrity” of confidential health data. 45 C.F.R. Section 164.306. In light of the ubiquity of the risks posed by Spectre and Meltdown and the widespread knowledge about these risks, has an employer fulfilled its responsibility – to protect against “reasonably” anticipated threats – without specific assurances about responses to Spectre and Meltdown?
The challenges posed by Spectre and Meltdown highlight an issue that was lurking in the background before these bugs were discovered – what is an employer’s responsibility to actively inquire about and monitor vendors’ computer security protocols? These bugs may now bring this issue to the foreground.
As noted by Henry Kissinger (and others), even a paranoid can have real enemies. In dealing with computer bugs and threats to HIPAA data, it may be helpful to be even more paranoid.