Twenty-One Years After HIPAA Added Protections for Health Information, What About Financial Information?

The Health Insurance Portability and Accountability Act – HIPAA – turned twenty-one this year.

Employers can play an active role in protecting employees’ financial data – and, have a roadmap for doing so by looking at HIPAA.

The Health Insurance Portability and Accountability Act – HIPAA – turned twenty-one this year.

A key element of HIPAA is the wide range of legal protections intended to keep health information private. Is time to start providing retirement plan participant financial information with the same level of protection?

What HIPAA Does

Under HIPAA health care providers, insurers and administrators must comply with a number of requirements regarding the treatment of individually identifiable health information – known as “PHI.” Entities covered by HIPAA must ensure that they utilize organizational protections (limiting sharing of PHI to other business units of the same entity), technical protections (requiring security measures for electronically stored and transmitted PHI), and physical safeguards (requiring that only properly authorized physical access to PHI is allowed).

HIPAA further requires that entities with PHI obtain contractual assurances from any vendor who is going to receive PHI (called a business associate agreement or BAA).

And HIPAA is backed up by mandatory reporting on breaches (including reporting to the affected individuals and to the federal government) and monetary penalties for breaches. In 2016 the federal government collected $15 million in HIPAA penalties.

Although HIPAA does not guarantee that PHI will never be disclosed, it does force employers, healthcare providers, and health insurance industry to ramp up the level of privacy protection.

So, Why Not a Financial Information Protection Act?

Under current rules, financial firms can play fast and loose with significant amounts of personal financial data. Under current law there are several federal agencies involved in protecting personal financial information: The Securities and Exchange Commission, the Federal Trade Commission and the Consumer Financial Protection Bureau (the “CFPB”). However, the laws that these agencies enforce to protect personal financial data are far laxer than HIPAA.

For example, under SEC and FTC rules, there are few restrictions on sharing personal data with different business units in the same firm – or even with outside entities – as long as the financial firm provides a notice of its disclosure policies, describes the circumstances when data will be shared and provides an opt out mechanism. FTC rules require financial institutions maintain “a comprehensive information security program” with contains administrative, technical, and physical safeguards. However, the FTC rules simply don’t have the reporting and penalty features that have the impact of HIPAA enforcement.

In effect, current rules do not impose any meaningful standards to protect personal financial information from commercial exploitation by a vendor. The bottom line is that he safeguards under HIPAA (and the associated financial penalties) are simply not imposed on financial firms.

Even if consumers could benefit from a HIPAA-like statute for financial information, such a change in the law is not on the horizon. So, what can be done?

A Role for Employers

Employers are a key source of financial firms access to employees’ financial information – the access is provided when an employer retains these firms to administer 401(k) and 403(b) plans.

So, like it or not, employers are in the middle of any serious discussion on protecting employees’ financial information. In the absence of a HIPAA-like law covering personal financial information, employers have a role to play in helping protect employees’ data.

•      Employers can seek to obtain contractual protections from retirement plan vendors limiting sharing and other commercial exploitation of employee data.
•      Employers can also seek enhanced indemnification from vendors if employee data is improperly disclosed.
•      Employers should request more information on vendors’ data policies as part of the vendor selection and negotiation process.

In effect, employers can use HIPAA-like practices and their experience with BAAs to protect employees. In light of employers’ role in providing financial firms with access to employees in the first place, it is the least they can do.