Many employers are wondering what their obligations are in the wake of the Anthem data breach announced on February 5, 2015. Anthem is a large insurer with customers in 14 states. Anthem stated in its letter that only personal information was accessed during the security breach, but, apparently, no medical information was accessed. Therefore, Anthem, apparently, has not yet determined whether it believes HIPAA is in play since “only” personally identifiable information was accessed. (A brief definition/overview of HIPAA is below). The Government office charged with enforcing HIPAA, however, reportedly has already concluded that “protected health information” covered by HIPAA was accessed.
HIPAA breach management and notification procedures are becoming the baseline, but they technically may not apply to this data breach yet. We will be following and reporting news about the Anthem breach as it develops.
In the meantime – and while Anthem’s investigation is still underway– employers need to take action NOW to determine what their reporting obligations may be, depending on the contractual relationship that the employer has with Anthem. Specifically:
1. Notification obligations will depend on whether the employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations to provide the required notices.
- If the plan is fully insured, the insurer, Anthem, is responsible for providing the notices.
- If the plan is self-funded, the insurer (in this case, Anthem, who also typically acts as the plan’s third party administrator) is obligated as a “business associate” to provide information to the plan and the employer as plan sponsor. The plan and employer are then the covered entities who are obligated to provide the required notices. Oftentimes, the third party administrator contractually agrees to provide the required notices. If the employer is self-insured, a review of the Anthem contract is required to make this determination.
- Notification is to occur without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Presuming it is obligated to do so, the employer will want to confirm with Anthem that it will be providing the required notices.
2. State laws – The general rule is that the party that lost the data is the one responsible for issuing notification of the breach. Most states follow this general rule. A review by the employer of the specific states involved would determine the obligation to notify its employees who are residents of those states of any breach by a third party such as Anthem.
3. Communication with employees – Should be undertaken as quickly as possible, but employers should prominently note that the content of any letter has been provided by Anthem (if that is the case) and that employer is not making any representations about the incident or surrounding facts.
For more details about HIPAA – and an overview of the breach notification process– please see the following Taft publication. Also, the website of the government agency in charge of HIPAA compliance (the Office of Civil Rights of the Department of Health and Human Services is a good resource.