The post below is a guest blog from Ellen Tucker who serves as Principal, Health & Welfare Consultant for CAI’s employee benefits partner Hill, Chesson & Woody.
Anthem, Inc., a Blue Cross and Blue Shield company providing health insurance in 14 states, has reported a data breach. Anthem is one of the country’s largest health insurer and the database that was hacked included names, birth dates, social security numbers, street addresses, email addresses and employment information for over 80 million current and former members. It does not appear that health records were accessed. The personal information could be used to steal the identity of millions of Americans in what may be the largest healthcare security breach in history. This brings heightened concern regarding the ability of health insurance companies to protect electronic medical records and claims data.
This breach has caused concern among employer groups insured by other BCBS plans. If they have employees in any of the Anthem states (California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin) or otherwise have employees or family members who have used providers in those states, they could be affected. Blue Cross and Blue Shield of North Carolina (BCBSNC) confirmed that Anthem is a separate company with a separate technology system, and the breach occurred in their system – not BCBSNC’s system. At this time, there is no indication that a breach has occurred at BCBSNC. BCBSNC has multiple layers of data security in place, and they actively monitor their systems on a regular basis. BCBSNC said they are in close communication with Anthem and the Blue Cross Blue Shield Association as the investigation continues. They are working with Anthem to determine whether the breach of their system impacted any BCBSNC members who live in or received care in Anthem’s area.
Clearly, health insurance carriers are vulnerable to data breaches that have affected retail companies and financial institutions. Any business that has personal information desired by hackers could be at risk for a cyber attack. Additionally, insurance carriers, brokers, and in some cases, employers must be aware of the responsibility they have regarding security for information that is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI includes any individually identifiable health information created or received by a covered entity that relates to the past, present, or future mental/physical health of an individual, including provision for healthcare and payment for healthcare. Covered entities include group health plans, including employer-sponsored self-funded health plans, health reimbursement accounts, health flexible spending accounts and fully-insured health plans if they have access to PHI. Examples of PHI include any health information and an identifier such as a name, address, date of birth, telephone number, fax number, email address, Social Security number or medical record number.
In general, the privacy rules require a covered entity to make reasonable efforts to ensure that when it uses, discloses, or requests PHI for permitted purposes, only the minimum necessary to accomplish the intended purpose is used, disclosed, or requested. To comply with the security rules there must be administrative safeguards, physical safeguards and technical safeguards. Administrative safeguards include training employees who handle PHI, policies and procedures restricting access to PHI only when appropriate, and designating a security officer. Physical safeguards include protection of electronic systems and devices (laptop computers, cell phones, flash drives), and limiting physical access to facilities. Technical safeguards include automated processes used to protect data and control access, encryption and passwords, and software to record and examine access to information systems that store PHI.
The Health Information Technology for Economic and Clinical Health Act (HITECH) passed detailed breach notification requirements as part of the American Recovery and Reinvestment Act of 2009. A HIPAA breach is the acquisition, access, use or disclosure of PHI that is not permitted and which compromises the security or privacy of the PHI. Affected individuals must be notified within 60 days of when the incident is known or should be known. There are also notification requirements to Health and Human Services, and to the media if more than 500 people are affected. Violation of the security and privacy rules can result in significant penalties, particularly as a result of the tiered increase in the amount of civil money penalties enacted under HITECH. Penalties range from $100 – $50,000 for each violation up to $1,500,000 in a calendar year.
Affected employers must decide their role in responding to the Anthem data breach. If the plan is fully insured, Anthem is likely responsible for notification to affected individuals. If the plan is self-funded with Anthem as the TPA, the Service Agreement and Business Associates Agreement should be reviewed to determine whether Anthem or the employer is responsible for notification. Employers that are not affected by the Anthem data breach should still assess their responsibilities regarding PHI under HIPAA and HITECH and take any necessary steps to ensure compliance