On February 5, 2015, Anthem Blue Cross Blue Shield (“Anthem”) announced that it was the target of a cyber attack that resulted in unauthorized access to Anthem’s IT system. As a result, certain personal information of Anthem’s current and former members may have been compromised. Information that may have been subject to compromise includes member (and former member): names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information (including income data). In subsequent media coverage, it has been reported that up to 80 million individuals may have been impacted. It was also reported that information going back to the year 2004 may have been subject to the breach.
It is believed that the Anthem breach is the largest breach involving health information to date.
While Anthem has been providing individuals with information (often through communications with employers responsible for sponsoring the employee health plan), it is possible that under HIPAA, applicable state laws and ERISA, an employer maintaining an Anthem health plan may have legal responsibilities as a result of the Anthem breach. The purpose of this Special Bulletin is to summarize those responsibilities and to provide you with information to help ensure your organization meets those responsibilities.
Under HIPAA, a “covered entity” has certain reporting responsibilities (to the Department of Health & Human Services) and/or notification responsibilities (to affected individuals) in the event of a data breach involving health information. A health plan is considered to be a “covered entity” and while, according to HIPAA, a health plan is considered to be a distinct legal entity, it is generally the employer that sponsors the plan who has the responsibility for making such reports/notices in connection with the plan. Under HIPAA, a “business associate” does not have these reporting/notification responsibilities, however, these responsibilities may be delegated to the business associate by the covered entity under contract.
To understand whether your organization’s health plan has responsibilities for reporting/ notification as a result of the Anthem breach, it is necessary to review your plan documents. Generally, the responsibility of your health plan in responding to the Anthem breach will depend upon whether your plan is self-insured or fully-insured. If your plan through Anthem is self-insured, it is likely that Anthem is considered to be your plan’s business associate and the reporting/notification responsibilities rest with the plan and not with Anthem. If your plan through Anthem is fully-insured, again, depending upon the language in your Anthem plan, it is likely that Anthem is also acting as a covered entity and, as such, it is Anthem who has the reporting/notification responsibilities under HIPAA.
Bottom Line: If your organization sponsors a group health plan for your employees, you should review your Anthem agreements, including the business associate agreement, to determine whether, as plan sponsor, you are legally responsible for providing notice to affected individuals of the Anthem breach. If your organization does have notice responsibilities, you are responsible for providing notice “without unreasonable delay” and in no case later than 60 calendar days after discovery of the breach.
In addition to HIPAA, there are 47 different states that have enacted data breach laws. While each state’s laws may have unique variables, generally, each requires certain organizations to provide notice in the event of a data breach. Notice may be required to a state Attorney General, a particular state department designated for consumer protection matters and to affected individuals. Based upon what has been reported regarding the Anthem breach, it is likely that under any of the 47 state laws, the Anthem breach would require notice. Some state laws provide that if you are in compliance with notice requirements under HIPAA, then you need to take no additional actions. Many states, however, do not contain this exemption. Since each state law is different, as the sponsor of a health plan, your organization may have notice responsibilities according to the particular laws of the state in which your organization is located and the laws of the states in which your employees reside.
Bottom Line: If your organization maintains a group health plan for your employees, you should review both the laws of the state in which your company is located as well as the laws of the states in which your employees reside to determine whether you are legally responsible for providing notice to affected individuals of the Anthem breach.
In addition to HIPAA responsibilities outlined above, your company may have responsibilities under ERISA. With the exception of plans maintained by churches, some church-related organizations and governmental entities, ERISA governs group health plans. ERISA imposes on plan fiduciaries certain obligations in connection with the administration and operation of ERISA-covered plans, including a duty to act prudently and to act in the best interests of plan participants and beneficiaries (the latter of which is part of the fiduciary duty of loyalty). ERISA fiduciaries are held to extremely high standards of conduct under the law.
An employer’s actions and authority with respect to a health plan, as well the plan’s governing documents, will determine whether an employer is a fiduciary of its group health plan. However, most employers that sponsor ERISA-covered group health plans are considered fiduciaries of such plans. As such, employers must consider what actions, if any, must be taken in response to Anthem’s data breach. By doing so, employers can help to ensure that their fiduciary duties of prudence and loyalty are fulfilled, minimize the risk of claims of breach of fiduciary duty, and protect themselves in the event of a lawsuit.
In addition to imposing fiduciary duties, ERISA “preempts” certain state laws to the extent that such laws relate to the administration of ERISA-covered plans. ERISA’s preemption can present challenges in terms of determining which laws must be observed and which do not apply.
In order to identify and fulfill their responsibilities under ERISA, employers should consider taking the following steps among others:
- Review plan documents and plan operations to determine who (including the employer) has fiduciary responsibility with respect to the group health plan.
- Determine how directly the breach will impact the plan. If the plan uses Anthem currently as its insurer or third-party administrator or has used Anthem in the past, the impact of the breach will be more direct than if the plan has never contracted with Anthem. The more direct the connection between Anthem and the plan, the more rigorous the fiduciaries’ process and actions must be.
- Analyze the interaction of state laws and ERISA’s preemption provision to determine the extent to which compliance with state laws is required.
- Review all information from Anthem to determine what steps it is taking as a result of the breach. Contact Anthem for more information to the extent needed to fully understand how the breach will impact the plan.
- Provide information to plan participants and beneficiaries that Anthem provides, to the extent that Anthem is not directly providing the information to such individuals. Ensure that the participants and beneficiaries at least have as much information as they need to protect themselves against possible consequences of the breach.
Bottom Line: If your organization maintains an ERISA-covered plan, you may have fiduciary responsibilities as a result of the Anthem breach in addition to HIPAA responsibilities.