Recently, one of the country’s largest health insurers, Anthem, Inc., which includes Anthem Blue Cross and Blue Shield, fell victim to a massive data breach resulting from a sophisticated external cyber-attack. Cyber-attacks on healthcare entities of all sizes is becoming more common. While the investigation is ongoing to determine exactly how much customer data was compromised, the company has confirmed that the effected database housed records for approximately 80 million people. Anthem, and most media outlets, reported that the hackers did not steal information related to customers’ medical treatment, but that they did obtain valuable personal information such as names, social security numbers, birthdates, and employment information. The statement that the hackers did not access data on medical treatment is inaccurate considering the definition of “Protected Health Information” or “PHI” as defined by the Health Insurance Portability and Accountability Act (HIPAA). All of the data reportedly stolen by the hackers falls within the definition of PHI, and therefore this “breach” is likely reportable as an unauthorized disclosure of PHI.
HIPAA requires “Covered Entities,” which include health care providers, health insurers, healthcare clearing houses, to maintain a broad array of safeguards to limit the use and disclosure of personal information. Many HIPAA privacy and security standards are mandatory while some are “Addressable.” Addressable standards require a Covered Entity to perform a “risk assessment” to determine the standards that need to be applied based on a variety of factors, including the size and sophistication of the Covered Entity, the relative cost of the safeguard, the nature of the protected health information, the potential risks to patients’ privacy, and the potential effects on patient care of implementing such safeguards. Encryption of electronic records is an Addressable standard. Therefore HIPAA may not require data encryption, but does require the Covered Entity to perform a risk assessment to make the determination as to the need for encryption. Given the constant evolution of technology, encryption technology has become more accessible to Covered Entities, from both a feasibility and financial standpoint. Every Covered Entity should review its HIPAA policies and technology safeguards, and perform risk assessments on a regular basis.
Frier Levitt has provided clients with guidance on HIPAA for over 15 years, including assisting Covered Entities with the tools to prevent and respond to patient data breaches, and the development of comprehensive HIPAA plans tailored to the client’s specific needs. Contact us today to speak to an attorney.
