• What Are Some Lessons from the Anthem and Premera Breaches?

  • We have all heard about the two recent breaches with Anthem and Premera Insurance. Over 91 million customers between these two organizations. In addition to these two publicized breaches, there were over 258 reported breaches for 2014, in which over 2 million additional individuals were affected.  

    What are some of the lessons and the impact of these two events? And the other breaches? We know that each of the breaches have victims, along with their related associates, and business associates. Is the industry, as a whole, tainted or suspect?

    Premera Blue Cross is facing five class action suits over the recent breach, said James Bilborrow, an attorney representing the plaintiffs with law firm Weitz & Luxenberg. Several other class action suits have already been filed against the insurer Anthem.
    Keyes to Prevent, Preserve and Protect:

    • Know where your organizations Protected Health Information (PHI) is stored. In the Office of Civil Rights, (OCR) Annual Report to Congress on Breaches of Unsecured Protected Information, required by the HITECH Act, reported that over 49% of all breaches come from desktop computers, network servers and paper records.Do you have Risk Policy?

    • The OCR also reported a jump in breaches involving portable devices, such as laptops and smart phones.Do you have policy for bringing your own mobile device? Do you employ MDM software?

    • Monitor your Business Associates and their obligations to you as a provider handling PHI. The OCR report revealed a 26% jump in the two year reporting period of 2011-2012, in the number of individuals affected by a breach. Over 59.3% of the total individuals affected by a breach are the result of a Business Associate.Do you annually review your Business Associates obligations and require them provide you with their Risk Assessment?

    • Will your breach lead to an OCR Audit and Compliance Review? According to the OCR report, the agency opens a compliance review to investigate “all reported breaches affecting 500 or more individuals and may open compliance reviews into certain reported breaches affecting less than 500 individuals.Do you have a Breach and Response Policy?

    • Breaches less than 500 affected individuals needs to be reported 60 days after the end of the year. However, the OCR demonstrated in a Resolution Agreement with Hospice of North Idaho, a first of its kind, that small breaches are not immune to a Compliance Review. Small related breaches can be a trigger, which can be indicative of a systemic compliance problem within an organization.Do you have a process in place to address foreseeable risks, and to mitigate them? 

    Daniel Solove, a John Marshall Harlan Research Professor of the Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month, “data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."

    Compliance needs to be a part of all organizations. Not only does it instill confidence in your work force, customers, patients and shareholders, it is the foundation of business and it is the law. Internal controls, procedures and policies go a long way in preventing, protecting and preserving your business. 

    Judith Lindsay, owner of JAL Consulting & Associates tackles all the elements of the HIPAA compliance puzzle, successfully assisting covered entities to make sense of it all, implementing the correct policies and procedures that are reasonable and appropriate for their entity.  In addition to this monthly newsletter, Judith has authored a 2015 comprehensive and customizable compliance manual that will be launching in the Second Quarter of 2015. The manual contains procedures, policies, staff training and staff testing.