As you may have heard, Anthem, Inc., one of the country’s largest health insurance companies, recently reported that its databases were hacked last week. According to media reports, hackers were able to breach a database with approximately 80 million customers’ records. The information in the database included names, birth dates, addresses, employment information, and Social Security numbers of Anthem’s customers.
This unfortunate event serves as an important reminder of the need to implement appropriate physical, technical, and administrative safeguards to secure protected health information (PHI) and electronic PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA creates a framework for health plans, healthcare providers, business associates, and others to establish, implement, and periodically review security protections for PHI. HIPAA also sets forth requirements for protecting the privacy of individuals’ PHI and notifying individuals when a breach of unsecured PHI occurs.
If Anthem provides your employees with health insurance or acts as the administrator of your self-insured group health plan, we recommend reviewing your agreements with Anthem to determine each party’s responsibilities for protecting confidential information and handling HIPAA breaches. You should also review the agreements for liability, indemnification, and mitigation obligations.
Even if you are not affected by the hacking attack on Anthem’s database, this may be a good time to review your HIPAA policies and procedures, business associate agreements, insurance contracts, and third-party administrator agreements. Reviewing these documents may identify security policies and procedures that need to be updated, gaps in HIPAA compliance, or indemnification provisions and limitations on liability that no longer suit your business needs.
If you have any questions regarding HIPAA or your welfare plans, please contact your Kutak Rock LLP attorney or a member of our Employee Benefits Practice Group.