The facts surrounding the Anthem breach continue to evolve as does Anthem’s handling of the situation.

Based on the current status of the investigation, and Anthem’s current reactions to the incident, there are steps which group health plan sponsors should consider taking to fulfill their own HIPAA and fiduciary obligations with respect to group health plans affected by the Anthem breach. These steps include the following:

  • Have business associate agreements and other relevant documents reviewed to assess the plan sponsor’s rights and obligations with respect to the breach.
  • Request from Anthem:
    • additional information about the breach;
    • confirmation concerning the steps that will be taken to protect the plan sponsor’s employees and affected individuals;
    • more extensive victim protection, client indemnification, and paid notification than Anthem is currently proposing to offer; and
    • confirmation that any state notification requirements will be satisfied on behalf plans and plan sponsors.

In addition, plan sponsors should continue to monitor ongoing developments so they can modify their own response as appropriate to fulfill their obligations with respect to and protect plan participants.

David Zeetony.