Reports of hacking and data breaches have been in the news lately, including a recent alleged attack on Anthem, the country’s second largest health insurance provider, potentially affecting millions of individuals. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes requirements on group health plans and other entities designed to safeguard personal health information. If a data breach involves unsecured (e.g. not encrypted) “protected health information” under a group health plan, HIPAA requires notice to individuals, the Department of Health and Human Services (HHS) and, in some cases, the media.
Protected health information (PHI) may include participant names, dates of birth, phone numbers and email addresses (not just information directly related to a participant’s health). We understand that Anthem has indicated to at least certain clients that its breach involved PHI. Consequently, clients who currently or formerly have used Anthem to provide health coverage should contact Anthem regarding notification requirements. This is especially the case for clients maintaining self-insured coverage since employers bear the ultimate responsibility for providing notice of HIPAA breaches for self-insured plans. Please contact us if you desire assistance with this process.
If a group health plan is required to provide a notice of breach, the covered entity must notify:
- Affected individuals “without unreasonable delay and in no case later than 60 calendardays after discovery.”
- HHS at the same time as affected individuals if the breach involves 500 or more people. If the breach involves fewer than 500 people, the covered entity must record the incident on its breach log and file the log with the HHS by March 1st of the following year.
- News media if the breach involves more than 500 residents in a state or jurisdiction.
If a potential breach is identified, the employer or third-party provider must determine whether a breach has occurred and who is responsible for providing notice. This likely will depend on whether the plan is self-insured or fully insured.
Self-Insured Plan. The employer is generally responsible for providing breach notices for a self-insured plan. However, if the employer engaged a third-party as a HIPAA “Business Associate” (BA) of the plan (for example, a third-party administrator), the responsibility was likely delegated to the BA under the parties’ Business Associate Agreement. At a minimum, the BA should be required to notify the employer of the breach. Whether or not the BA also is required to notify the affected individuals, HHS and news media will depend on whether these responsibilities were delegated to the BA under a Business Associate Agreement and the nature of the breach.
Accordingly, if an employer with a self-insured group health plan becomes aware of a potential breach, it should review its Business Associate Agreement to determine whether the employer or the BA is responsible for providing notices and for the costs of providing the notices. Even if the BA is obligated to provide notices, the employer, as a plan fiduciary responsible for monitoring the plan’s service providers and the party ultimately responsible for the notices, should review the notices provided by the BA to verify compliance with HIPAA and to ensure that the BA is taking steps to mitigate any harm.
If the Business Associate Agreement does not delegate to the BA the responsibility for providing notices of breach (or is silent), then the employer must determine whose information was compromised, take action to protect the data and mitigate harm, and provide notices necessary to comply with the plan’s obligations under HIPAA and state law.
Insured Plan. Where a group health plan is insured, the insurance carrier generally is required to provide the breach notices described above. The employer will generally have minimal involvement. However, the employer is ultimately responsible for monitoring the insurance carrier and determining whether the notices and steps to mitigate harm are adequate.
Other Potential Actions for Employer if Insurer or BA has a Breach of PHI
An employer may also consider the following steps if its group health plan is subject to a potential data breach:
- If self-insured, conduct its own review to determine whether accessed information is PHI and whether PHI has been compromised under the HIPAA rules.
- Notify insurance carrier or BA of claim for indemnification of any losses.
- Ensure that employees are aware of any credit monitoring and identity theft services made available by the insurance carrier or BA.
- Review data security and privacy liability (cyber) insurance for coverage of any costs and requirements to notify the carrier.
- Ensure compliance with any applicable state privacy notification laws.
Lessons from the Anthem Breach
The Anthem breach serves as a reminder that HIPAA imposes significant responsibilities on group health plans. Even employers who have not been affected by the Anthem breach should use the breach as an opportunity to review HIPAA policies and procedures (or establish HIPAA policies and procedures if none exist) and underlying Business Associate Agreements so that they are prepared if their group health plans become subject to a similar breach.
For assistance in reviewing or creating HIPAA policies and procedures and Business Associate Agreements, contact your regular Calfee attorney or one of the individuals listed.