As has been widely reported, Anthem, Inc. (Anthem) recently experienced a cyber-attack that resulted in the disclosure of personal information of individuals who are receiving, or who have previously received, services from Anthem or one of the many Blue Cross Blue Shield (BCBS) organizations who do business with Anthem. At this time, it appears that Anthem or BCBS have notified affected employers. Affected employers may need to take several steps to ensure compliance with their own legal obligations—particularly if their plans are self-insured. These include the following:
- Determine whether your plan has an obligation to notify affected individuals about the breach under HIPAA. Notice to the Department of Health and Human Services and the media may also be required. If you determine that notices are required, confirm that Anthem or BCBS will be providing the required notices on your plan’s behalf. In many instances, provisions governing breach notification requirements will be included in services agreements or business associate agreements.
- Determine whether state privacy laws require the plan or the employer to provide notice of the breach to affected individuals. Notice may also need to be provided to state agencies and to national credit reporting agencies. If you determine that notices are required, confirm that Anthem or BCBS will be providing the required notices on you or your plan’s behalf.
- Breach notification laws contain specific notice requirements. Once you have confirmed that Anthem or BCBS will be providing notices on behalf of your plan, review the notices to ensure they contain all the information required under HIPAA and state privacy laws. In addition, confirm that all required parties are timely notified.
- Maintain a record of the breach and of the corrective actions taken to address the breach.
- Review your HIPAA privacy notice and your HIPAA policies and procedures to determine if additional steps need to be taken. If these have not been updated for current HIPAA breach notification rules, review and revise them as soon as possible.