The Anthem breach sent alarm waves through the health care industry and the employer health plan community. With 78.8 million affected individuals for Anthem and 11 million for the companion breach of Premera Blue Cross, the combined size ranks among the largest data breaches in history.
The Anthem and Premera breaches signal a sea change in the threat environment for health plans, a new reality that requires a fresh look at data security. Prudent employers with group health plans should take that fresh look now, by strengthening the data security provisions in their business associate agreements (BAAs) with third-party plan administrators, and also by updating their HIPAA-required security risk assessments.
It’s Time for BAA 2.0
In the days following the Anthem breach announcement, employer benefits managers and in-house legal counsel had a flood of questions. Who would be responsible for making HIPAA and state law notifications to the thousands of affected members of their group health plans? What about any required notifications to federal or state regulators, or to the media? And what about exposures and liabilities for any future claims?
For answers, they pulled out their administrative services agreements and BAAs with Anthem-affiliated plan administrators … but most of them found (1) no delegations for making HIPAA notifications and (2) no provisions on PII security, breach exposures, or notification responsibilities. That’s understandable in a pre-Anthem/Premera world. But going forward, BAAs should contain the security requirements, response delegations, and allocations of breach liabilities appropriate for this new threat environment.
It’s Time for an Updated Security Risk Assessment
HIPAA requires health plans to conduct a security risk assessment and also to reassess the adequacy of security controls at least annually and whenever changed circumstances warrant. When a breach triggers an investigation by the HHS Office of Civil Rights, one of the first items requested by OCR will be written documentation of the up-to-date security risk assessment and periodic evaluations.
Employers with small to medium sized group health plans might be tempted to view themselves as too insignificant of a target for hacking or other security intrusions. Speaking of “target,” the same could have been said for Fazio Mechanical, an HVAC service provider to retailer Target, and reportedly the hackers’ entry point into Target’s network through the retailer’s supplier portal. Similarly, most benefits managers for employer group health plans use a portal to connect with their third-party administrator’s data systems for plan administration.
Group health plan employers should update their security risk assessments now, in light of the Anthem and Premera breaches and the current threat environment. A compliant security risk assessment is not merely a gap analysis against the security requirements under HIPAA and other applicable laws. It also includes the identification of threats, vulnerabilities, and risks to the security of protected information, leading to the strengthening, as needed, of the plan’s data security posture. And documentation of the updated risk assessment is also crucial to protect the plan in the wake of a security breach.