On Feb. 4, 2015, Anthem announced a data breach involving the personal information of more than 80 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Group health plans may be affected because Anthem: (1) provides insured health benefits; (2) administers health benefits for a self-insured plan; or (3) administers out of area/network claims.
Employers, as plan sponsors on behalf of their group health plans, need to identify how the Anthem breach may affect them, if at all, and get their arms around what they need to do in response. The following is practical guidance on what employers need to know and do now and in the coming weeks to comply with their legal obligations.
Does HIPAA Apply?
One question is whether the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies. HIPAA applies if the compromised information is “protected health information”—a broad category of individually identifiable health information that arguably includes demographic information when it is indicative of whether an individual is participating in a health plan. Anthem has not used the term “protected health information” in its statements, but has indicated that “names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data” were compromised, all of which may fall within the definition of the term.
Anthem also has stated that “there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” Seemingly based on this statement, some at first reported that there has been no violation of HIPAA. These reports may be based on some confusion surrounding what information is protected by HIPAA and the definition of the term “medical information” under certain state laws, such as the California Confidentiality of Medical Information Act. A court in California recently ruled that “medical information” does not include “personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.” Anthem’s emphasis that no medical information was compromised may have been in reference to the California definition or something similar, and may become a key issue in the success or failure of any class action litigation under state law. We understand that class action lawsuits already have been filed, so it is not surprising that Anthem may be laying the groundwork for possible defenses.
It is likely that the Anthem compromised information qualifies as “protected health information,” or “PHI” under HIPAA, which is a broader term than “medical information.” If this is the case, then Anthem, and in many cases employers, will clearly have breach notification obligations under HIPAA.
What Does This Mean for Employers Under HIPAA?
If the breached data is protected health information, Anthem will be required to provide breach notification under HIPAA. Notice obligations under HIPAA vary, depending on whether the compromised information relates to: (1) an individual policy; (2) a fully-insured group health plan; or (3) a self-insured group health plan.
With respect to individual policies and fully-insured group health plans, Anthem may be the health insurance issuer. In these cases, a breach of unsecured protected health information likely requires Anthem to notify affected individuals, the U.S. Department of Health and Human Services (“HHS”), and the media. In these instances, the employer does not appear to have breach notification obligations under HIPAA.
For self-insured group health plans, Anthem could be the third party administrator (“TPA”) of the plan. Under HIPAA, as a third party administrator, Anthem likely would be the group health plan’s business associate that must report a breach of unsecured protected health information to the health plan. The plan itself has the obligation under HIPAA to notify affected individuals, HHS, and potentially the media. This responsibility ultimately falls on the employer, as the plan sponsor. The employer, however, may delegate its breach notification obligations to Anthem, as its business associate. In the present case, delegation likely makes the most sense. Otherwise, a large number of self-insured plans would need to go through the time and expense of breach notification, affected individuals may confusingly receive multiple notifications related to the same incident, and government regulators would need to wade through a large number of breach reports related to the same incident.
A self-insured group health plan’s business associate agreement with Anthem may include and address delegation of breach notification responsibilities. If not, then formal documentation of any delegation may be required if the group health plan chooses to delegate breach notification to Anthem. Once an employer delegates the breach notification obligations to Anthem, it should obtain evidence on behalf of its self-insured health plan that HIPAA-required notifications have been made for the employer’s compliance records.
While HIPAA requires breach notification without unreasonable delay and in no case later than 60 days, it may be reasonable for Anthem to delay notification for the moment while it investigates the breach and coordinates notifications. Employers may need to await instructions from Anthem regarding how breach notifications may be coordinated.
How Will State Law Apply?
State laws may present similar issues. For example, 47 state breach notification laws, plus the District of Columbia and two U.S. territories, require the non-owner of data to notify the owner of the data if there is a breach of certain information, including social security numbers. When Anthem is acting as a TPA, it may be treated as the non-owner of the data and have an obligation to report to the owner of the information. Ultimately, under these state laws, the self-insured group health plan, as the owner of the data, may need to notify affected individuals and, possibly, regulators and credit reporting agencies. As with HIPAA, employers who maintain self-insured plans that use Anthem as their TPA may be well served by delegating state breach notification obligations to Anthem.
So What Should Employers Do Now?
If your organization has a self-insured group health plan and uses Anthem as a TPA, there are a few steps that you can take while Anthem continues its forensic investigation:
- Notify employees of the current breach information that Anthem has provided (available at www.anthemfacts.com);
- Educate employees to be on the alert for phishing scams or similar activities that may take advantage of the Anthem headlines to try to obtain personal information (Anthem has indicated that it will contact individuals by U.S. mail, so employees should be wary of any emails or other electronic communications claiming to relate to the Anthem breach);
- Determine whether you (the employer) have breach notification obligations under HIPAA and state law (such as the plan sponsor of a self-insured plan with Anthem acting as the TPA);
- If you have breach notification obligations, review whether the notification obligations have been contractually delegated to Anthem, such as in the business associate agreement;
- If breach notification obligations have not already been contractually delegated to Anthem, consider whether to formally delegate those obligations to Anthem now;
- Coordinate with your Anthem representative over the coming weeks to address who will provide any breach notifications that may be necessary and verify that the notification will be sufficient to meet your obligations under the law;
- Create an internal security incident report to demonstrate that you are aware that a security incident affecting the group health plan has occurred, and document the actions that are being taken and the basis for any delay (e.g., that you are waiting on more information from Anthem); and
- Once any required breach notifications have been made, ensure that you have some evidence (such as information from Anthem) demonstrating that the necessary breach notifications to affected individuals, HHS, the media, and potentially state regulators and credit reporting agencies have been made.