By now everyone has heard of the February 4, 2015, cyber-attack on Anthem, Inc. According to Anthem, the attack exposed the personal information of approximately 80 million individuals including those presently and formerly insured by Anthem or by related Anthem companies. The breach exposed member names, health ID and social security numbers, dates of birth, addresses, telephone numbers, email addresses, and certain employment information. Anthem is continuing its investigation and promises to provide updates going forward.
While Anthem has indicated that, so far, no specific health information appears to have been exposed, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) includes within its definition of “protected health information” (“PHI”), demographic information regarding individuals maintained by “Covered Entities”. Health plans are included within the definition of a “Covered Entity”. Health plans include health insurers such as Anthem, but also employer-sponsored employee health plans.
In 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) introduced the concept of a “breach” of “unsecured protected health information” (“UPHI”). A “breach” is defined as unauthorized access of PHI maintained by a Covered Entity or a Business Associate of a Covered Entity. Where a breach occurs, a notice must be sent to all affected individuals. Whether the employee health benefit plan itself has any requirement to send a notice turns on whether such plan is fully insured or self-insured.
Employer plans that have or had Anthem coverage on a fully insured basis for their sponsored employee health plans generally can rely on Anthem to provide any required notice of a breach to affected employees/insureds. However, if Anthem serves or served merely as a Third Party Administrator (“TPA”) or only provided other administrative services for a self-insured plan, the scenario is very different. In that case, the self-insured employee plan is considered to be the Covered Entity affected by the breach and may be required to send a notice and take other steps. Even in such scenario, however, a plan may have a Business Associate Agreement in place with the TPA (e.g. Anthem) which may contractually allocate the responsibility for sending the breach notice to anthem thereby relieving the employee health plan of this obligation.
In light of these developments, it is critical to consider at least the following:
1. If you have or had Anthem involved with your employee health plan, review all documentation relating to Anthem’s status and determine whether the plan was “fully insured” or merely a TPA-style arrangement.
2. If a TPA-style arrangement, carefully review all documentation, including any relevant Business Associate Agreement, to determine the rights and responsibilities of the parties in light of a suspected breach.
3. Discuss with counsel the specific content and timing requirements of HIPAA-compliant breach notifications, if required to be sent by your health plan.
4. Regardless of any affirmative obligation to provide a HIPAA notice of breach, consider passing on updates from Anthem to your employees, and guidance as to how employees may place fraud alerts and take other precautions to monitor their finances and credit for unusual activity. Information for the three nationwide credit reporting companies is as follows:
Equifax: P.O. Box 740256, Atlanta, Georgia 30374
Experian: P.O. Box 2002, Allen, Texas 75013;
Corp: P.O. Box 2000, Chester, PA 19022
5. Always keep in mind the requirement to send breach notices, if mandated by HIPAA, as soon as reasonably possible but in no event later than sixty (60) days from the date of discovery of the breach. In this case, the date of discovery was February 4, 2015, making the 60-day deadline run on April 5, 2015.