HIPAA Action Items After a Data Breach

Anthem Blue Cross and Blue Shield, one of the largest health insurers in the U.S., notified its policyholders, members and business partners on Feb. 5, 2015, that it was the target of an external cyber attack that appears to have compromised the confidentiality of personal information maintained on its information technology system.

An employer facing news that its insurer or third-party administrator (TPA) has experienced a data breach may find such news alarming and, at times, confusing. Even if no medical information was compromised, information concerning current or former members’ enrollment in health insurance or information about members’ health claims from a TPA generally qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). This is true even if neither diagnostic codes nor other sensitive information is included among the identifying information.

If a plan participant’s name, Social Security number, address or other identifying information were compromised while held by an insurer or TPA, that would constitute a breach for purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA. In such a situation, state-level breach notification laws also are likely to be implicated.

Employers’ Obligations

As employers consider how to respond following a data breach, it is important to note that their obligations will depend on the relationship between their health plan and the insurer or TPA.

• Insured plans. If the plan is insured, the insurance provider is the covered entity responsible for investigating the situation, undertaking appropriate mitigating measures, and providing all required notices to plan participants, regulators, and, in some instances, the media.

Following its security breach, Anthem announced that all impacted health plan members would be offered an opportunity to sign up for credit monitoring/identity protection services, and that impacted members would be notified by mail of the protections being offered to them as well as any next steps.

• Self-funded plans. If the plan is self-insured, the responsibility for investigating a breach and providing any required notice, by default, falls on the plan and the employer as its sponsor. If, as is typically the case, however, the employer has outsourced the claims administration role, the TPA may have the contractual obligation for assessing and responding to the breach.

At a minimum, the TPA will have a notice obligation to the plan/employer and a responsibility to provide details surrounding the breach. Employers should review the relevant contract documents and determine where responsibility for response, remedial, and notification measures rests.

For life insurance and other non-health coverage and benefit services that a breached insurer offers, HIPAA and HITECH may not apply. However, when crafting a response, employers should consider their role as a fiduciary of the benefit plan as well as employee relations. It may be prudent for an employer to reach out to employees, sharing information sent to it by the insurer regarding the breach, as well as to follow up with the insurer’s representatives to get a better understanding of how the breach is being addressed for its employees.

In all cases, under state breach notification laws, generally the party that held the data when the breach occurred is responsible for issuing the notice. State laws govern who must provide notice and define the contents and recipients of such notices. Accordingly, employers should identify the implicated states and comply with their obligations in the relevant jurisdictions.

Action Items

Initial action items for employers in this situation include the following:

• Define the relationship between the employer’s health plan and the breached insurance company. Is the latter acting as an insurer or as a TPA for the plan?

• If the plan is insured, the notification obligation resides primarily with the insurance company. In addition to notifying the affected individuals, employers should review their insurance contract documents and evaluate their provisions regarding data privacy and security. Ultimately, if the plan is fully insured, the insurance company should be responsible for HIPAA and HITECH compliance and the proper issuer of notices under state data breach laws.

• If the plan is self-insured and the breached insurance company serves as TPA, the employer should closely examine its service contract and “business associate agreement.” In particular, the employer should focus on the breach assessment and notice provisions and determine who is responsible for evaluating possible breaches and issuing required notifications to the affected individuals. Examine the information that the TPA has provided regarding its handling of the breach and make sure that those actions coincide with the contractual provisions, HIPAA, HITECH and applicable state breach notification laws.

• If the employer retains responsibility to provide the required notice, determine whose data was compromised, identify the actions required to protect the data and mitigate harm, and prepare the notices necessary to comply with the plan’s obligations under HIPAA and state law. The employer will likely need to work with the TPA to collect the detailed information necessary to prepare the required notices, and the TPA has an obligation to provide the employer with the information necessary to prepare that notice.

• Consider additional steps the employer should take to mitigate any harm caused by the breach. Review the service agreement and business associate agreement for any provisions governing mitigation obligations and indemnification clauses for the employer’s ability to recover for costs related to the breach.

Recent large-scale data breaches demonstrate that all forms of sensitive personal information can be vulnerable to exploitation. In addition to Anthem, other major health insurers and benefits consultants, insurance brokers and TPAs are likely vulnerable to similar attacks in the future, and employers should be prepared to respond quickly in the event their plans or business partners are affected.

Timothy G. Verrall is a shareholder in the Houston office of Ogletree Deakins. Stephen A. Riga is an associate in the Indianapolis office of Ogletree Deakins. Danielle Vanderzanden is a shareholder in the Boston office of Ogletree Deakins. All are members of the firm's Data Privacy Practice Group. © 2015 Ogletree Deakins. Republished with permission. All rights reserved.