Anthem Cyber Attack Serves As Reminder to Review HIPAA Documents
Written by Jason Rothman
On February 5, 2015, Anthem announced that as a result of a cyber attack, a massive data breach occurred. While Anthem says that no medical history information (i.e., diagnosis or treatment data), credit card or banking information was exposed, the data exposed does include names, dates of birth, member ID and social security numbers, addresses, phones numbers, email addresses and employment information.
Anthem is continuing its investigation and additional details are expected. Notwithstanding Anthem's continuing analysis of the data breach, employers, as plan sponsors of health plans, must recognize that the data released in the breach fall under "protected health information" or "PHI" under the Health Insurance Portability and Accountability Act of 1996, or "HIPAA." As such, what we are now dealing with is a HIPAA "breach" that may trigger certain notification requirements under HIPAA.
At this point in time, any plan sponsor that has a relationship with Anthem needs to take action to determine what responsibilities it has and what action Anthem must take relating to the breach.
Plan sponsors of insured Anthem plans should review all contracts/agreements that address data privacy and security. For those employers who use Anthem to provide insured benefits, the notification burden generally falls on Anthem.
An employer who uses Anthem as a third party administrator of its self-funded health plan needs to analyze the applicable administrative services agreement, as well as the business associate agreement ("BAA"), to determine what responsibilities reside with Anthem and what responsibilities reside with the employer. Although there are specific disclosure requirements that Anthem will be subject to due to the breach, the notification requirements (for example, the individual, media and governmental notifications under HIPAA and state law) fall on the plan sponsor if not specifically addressed in the services agreement or the BAA.
Some plan sponsors may be surprised to find out that it has the responsibility for the breach notification because the BAA or services agreement does not specifically require Anthem to be responsible for this action. In the event that the plan sponsor is responsible for the notifications, it will need to work with Anthem to determine who was affected by the breach and to get the required data to issue the proper notifications. In addition, plan sponsors need to determine if Anthem has agreed to cover the costs associated with the breach as it relates to the plan and issuing the applicable notices. A properly drafted indemnification provision in the service agreement and/or BAA would address this.
The same concepts and action steps apply to employers who don't use Anthem for services. Plan sponsors, especially plan sponsors of self-funded health plans, need to make sure they have well drafted service agreements and BAAs with their vendors. This would include clear language on the parties' obligations in the event of any improper use or disclosure of PHI, including a "breach" requiring notice under HIPAA. Further, consideration ofapplicable state law notification requirements and costs associated with breach notifications should be specifically addressed in the agreement/BAA.
In addition, employers may be finding themselves dealing with employee inquiries about the Anthem data breach. Anthem has issued a series of frequently asked questions about the data breach that employers may want to direct their employees to – see https://www.anthemfacts.com/faq. Additionally, employers may want to consider telling employees about the recent phishing activity associated with the Anthem breach and that those affected by the breach will receive notice via mail advising them on what action is being taken and any next steps.