Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management

Health care providers, managed care organizations, health plans and insurers, health care clearinghouses and their business associates should study and learn from the just announced, record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc. and the Department of Health & Human Services Office of Civil Rights (OCR).  The resolution agreement resolves OCR charges that Anthem, Inc.’s violations of the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rules exposed the electronic protected health information (ePHI) of almost 79 million people.  In addition to reviewing the adequacy of their own HIPAA privacy and security practices, health care providers, health plans, their employer and union sponsors and fiduciaries also should consider assessing the advisability of tightening their business associate and other agreements with health insurers, third party administrative services providers and other vendors in light of the resolution agreement and practical experiences with the fallout of the Anthem breach to better position themselves to assess and enforce HIPAA compliance, receive notice and respond in the event of an insurer or other vendor breach and mitigate financial costs and liabilities resulting from breaches or other compliance deficiencies.

Anthem’s Record Setting Breach & Resolution Agreement

The settlement agreement announced October 15, 2018 by OCR requires Anthem, Inc. to pay a $16 million resolution payment to OCR and take a series of corrective actions to resolve HIPAA liabilities to OCR for allowing the largest known U.S. health data breach in history in 2015.

The record $16 million resolution payment eclipses the prior record resolution payment of $5.55 million Memorial Healthcare System (MHS) paid OCR to settle HIPAA charges in 2016.

An independent licensee of the Blue Cross and Blue Shield Association and one of the nation’s largest health benefits companies, Anthem provides medical care coverage to one in eight Americans through its affiliated health plans.  The breach that resulted in the settlement agreement affected ePHI Anthem maintained for its affiliated health plans including many employer or union sponsored self-insured and insured group health plans and other HIPAA-covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights  that disclosed that Anthem discovered on January 29, 2015 that cyber-attackers had gained access to and engaged in continuous and targeted cyberattack on Anthem’s IT system for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing its breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

Beyond the consequences for the millions of individuals whose ePHI was disclosed through the breach, the breach also triggered responsibilities and concerns for heath care providers who contracted to provide care or services to Anthem plan members, fiduciaries and sponsors of the employer and union-sponsored group health plans administered or insured by Anthem.  Health care providers and their patients were forced to deal with the fall out of having patient data exposed in the breach.  In addition sponsors and fiduciaries of private sector employer or union sponsored plans struggled to obtain information and cooperation from Anthem necessary to evaluate and fulfill their health plans’ HIPAA obligations as well as the fiduciary responsibility requirements of the Employee Retirement Income Security Act (ERISA).

In addition to the $16 million settlement that Anthem is paying to resolve OCR’s HIPAA charges stemming from the breach, the OCR settlement agreement also requires Anthem to undertake a robust corrective action plan to comply with the HIPAA Rules.

In addition to the $16 million paid under the OCR resolution agreement, anthem already has paid more than $115 million to settle lawsuits arising out of the breach under other laws.

Anthem Follows On Other Recent Enforcement

The record setting Anthem resolution agreement is notable in part as one of the few high dollar settlement agreements involving a health plan.  To date, the overwhelming majority of HIPAA enforcement actions have involved health care providers.

Rgeardless of the category of the covered entity involved, however, the Anthem settlement again drives home the risks health care providers, health plans and other covered entities and their business associates run for lax HIPAA compliance and risk management.  The latest in the growing list of high dollar HIPAA settlements OCR has collected from health care provider and other covered entities including the $999,0000 in settlement payments OCR announced on September 20, 2018 that Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) paid  for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three settlement agreements.

Act To Manage Compliance & Risks

Unquestionably, health care providers, other health insurers, employer, union and association sponsored group health plans, and their vendors and business associates should evaluate the adequacy and defensibility of their own health plan privacy and security practices in light of the Anthem breach and resolution agreement.  In addition, employer, union or association health plan sponsors, administrative service providers and fiduciaries also should consider the advisability of strengthening their business associate agreements with insurers, third party administrators and other health plan service providers to incorporate safeguards, audit, oversight or other provisions and practices to help prudently monitor potential risks and improve their ability to receive timely notice, respond to, and preserve rights of recourse against insurers or other vendors in the event of a breach or other deficiency.

Since Covered Entities also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the Privacy Rule, most Covered Entities also will want to consider and take steps to identify and address other potential legal or ethical responsibilities such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law privacy or other related exposures when conducting this review.  Additionally, most Covered Entities also will want to take into account and manage their potential exposure to privacy, theft of likeness or other intellectual property, or other statutory or common law tort or contractual claims that might attached to the unauthorized filming, photographing, or surveillance of individuals under federal or state common or statutory laws.

Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, Covered Entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, Covered Entities should keep in mind that HIPAA compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, Covered Entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: