Anthem Cyber-Attack Could Lead to HIPAA Penalties for Employers
Is Anthem Your Self-Insured Plan’s ASO/TPA? If So, There Are Actions You Need to Take to Avoid HIPAA Penalties.
As you have likely heard, Anthem had a sophisticated cyber-attack on their computer system. They believe the information (including social security numbers) of up to 80 million current and former individuals enrolled in Anthem plans was accessed. There are news articles claiming that this was not a HIPAA violation because health claim data was not accessed. However, the mere fact that a participant is enrolled in a health plan is protected health information under HIPAA.
If you are an employer that sponsors a fully-insured plan with Anthem, Anthem has the legal obligation and penalty risk under HIPAA with regard to this breach. If you have a self-insured plan that contracts with Anthem to provide administrative services only (ASO), the legal obligation under HIPAA to notify participants is your responsibility.
While you are permitted to contract with Anthem as your business associate to do notices on your behalf, if the notices are not done properly, it is the plan sponsor that will be penalized by the Department of Health and Human Services. There are proactive steps plan sponsors need to take to ensure they avoid any penalties as a result of this Anthem breach.
Please contact your Graydon Head attorney for more information on the steps you should be taking to protect your company if you currently use Anthem as the ASO for your self-insured health plan or have used them in the past.