Feb 06, 2015
Last week healthcare provider Anthem, Inc., discovered it had been hacked, potentially impacting 80 million current and former participants. It has not been determined whether the Health Insurance Portability and Accountability Act (HIPAA) breach notification rules apply to this breach. However, from what has been reported, the stolen data appears to include health plan enrollment information which is protected health information. Consequently, the HIPAA breach notification rules may apply.
The HIPAA breach notification rules were enacted by the Health Information Technology for Economic Clinical Health Act (HITECH). Group health plans were required to update their HIPAA privacy and security policies and procedures and notice of privacy practices to include these changes and others set forth by the Department of Health and Human Services (HHS) in final regulations. The deadline for these changes was Sept. 23, 2013. Business Associate Agreements were required to be updated no later than Sept. 23, 2014.
Employers who are insured by Anthem or are self-insured and use Anthem to administer the plan should review information concerning the Anthem breach carefully before concluding that the HIPAA breach notification rules do not apply. Employers that are insured by BlueCross BlueShield or use BlueCross BlueShield to administer their self-funded plan should review the breach information to determine whether the HIPAA breach notification rules apply. The cyber attack could impact BlueCross BlueShield participants if the participant’s claim was submitted through Anthem for an employee or an employee’s dependents in an Anthem service area. Employers who use a BlueCross BlueShield insurer should contact BlueCross BlueShield to determine whether they are affected by the breach.
If an employer determines the HIPAA breach notification rules apply, it must review its Business Associate Agreement with Anthem (this is often an exhibit of the administrative services agreement for self-funded plans). The Business Associate Agreement should provide which party is responsible for making any required HIPAA breach notifications. The time frames applicable to the HIPAA breach notification rules require immediate action.
Further, because Anthem already contacted participants with a general announcement regarding the breach, employers should be prepared for participant questions. Any employer who has not updated its HIPAA compliance documents for the breach notification rules should do so immediately.