The Anthem Cyber Attack:
How Does HIPAA Apply and What You Need To Know
What happened?
As you have probably heard by now, on January 29, 2015, Anthem discovered it was the victim of a sophisticated cyberattack. Approximately 80 million people may be impacted, including current and former members of Anthem’s affiliated health plans. In addition, members of other independent Blue Cross Blue Shield plans who received services from and through Anthem may be impacted. The information accessed included names, dates of birth, Social Security numbers, healthcare ID numbers, home addresses, email addresses, employment information, including income data. Anthem does not believe that credit card information, banking information, or medical information like claims, test results or diagnostic codes was targeted or accessed.
What is Anthem doing to protect impacted individuals?
Anthem has offered 2 years of free identity theft repair and credit monitoring services to current and former members of an affected Anthem plan dating back to 2004. Anthem established a website dedicated to the cyberattack: www.anthemfacts.com. This website provides additional details relating to the credit protection services, as well as FAQ about the cyberattack.
Does HIPAA apply?
As you know, HIPAA applies to protected health information. Moreover, HIPAA’s Breach Notification Rules require notice to HHS when 500 or more individuals are affected. Thus far, Anthem has asserted that medical information was not accessed. Despite this, however, HIPAA defines protected health information to include information with 18 identifiers, such as names, addresses or phone numbers. If such information was listed with a health condition, health care provision or payment data, then it would be considered PHI and Anthem would be required to report the breach to HHS.
Anthem has recently announced that it will undertake the HIPAA Breach Notification requirements. It has also been reported that HHS does not want individual health care plans or plan sponsors to notify HHS of the Anthem cyberattack. It is still unclear, however, if Anthem will assert that a breach of PHI occurred when it provides notice to HHS since Anthem claims no medical information was accessed.
What should Plan Sponsors do?
Plan sponsors that have a relationship with Anthem should review their contracts with Anthem, which may include Administrative Service Agreements and Business Associate Agreements. For fully insured health plans, Anthem most likely has full responsibility to provide notice to the affected health plan participants. The HIPAA Breach Notification Rules, however, may impose different responsibilities on self-funded health plans. Under HIPAA, a self-funded health plan, as a covered entity, is required to provide notice to the affected individuals and HHS, when required. This obligation may be delegated to the third party administrator through the Administrative Services Agreement or Business Associate Agreement. Plan sponsors of self-funded health plans should review their contracts with Anthem to ensure that the notification requirements have been delegated to Anthem. If these responsibilities have not been delegated to Anthem, the Plan sponsor should contact Anthem to discuss each party’s responsibility relating to the cyberattack.
For plan sponsors that do not have a direct relationship with Anthem, the cyberattack should serve as a reminder to ensure that the health plan is HIPAA compliant.
How Do You Become HIPAA Compliant?
- Risk Analysis. You must determine if your current uses and disclosures of PHI and electronic PHI are permitted under HIPAA/HITECH. Additionally, you must do a thorough analysis of all potential risks and vulnerabilities relating to any PHI held by the health plan. OCR will want to see a Risk Analysis that proves you have put forth your best effort to protect PHI and electronic PHI. This includes reviewing your existing risk analysis to determine whether it needs to be updated. If your health plan has not performed a risk analysis, it should.
- Policies and Procedures. Next, you should review all HIPAA policies currently in place and determine how those policies should be modified to ensure compliance with HIPAA/HITECH. This process will include creating and implementing breach notification policies and procedures. If you have not created HIPAA policies or procedures, we can help you through this process.
- Workforce Training. You should also conduct annual workforce training on the HIPAA/HITECH requirements and penalties for individuals that have access to PHI and/or electronic PHI.
- Document. Finally, you should document the entire process.
Perplexed by all the requirements under HIPAA/HITECH? Let us help! We can help guide you through the compliance process. Please contact our office to discuss how we can further assist you in meeting your resolution to become HIPAA/HITECH compliant.