Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Reviewing Procedures for Breach of PHI

Despite clear compliance plans, annual training, and limiting access, there is still a chance your practice could experience a breach of protected health information (“PHI”).  A “breach” means the use or disclosure of unprotected information that is not permitted by HIPAA and compromises the security and/or privacy of the PHI.  Most practices allocate considerable resources towards preventing breaches, but it is a good idea to review procedures in case a PHI breach should occurs.

  •  When a breach occurs, first gather information.  Determine what type of PHI was disclosed, who accessed it without authorization, and the number of patients exposed.
  •  Next, make every attempt to mitigate the damage.  Can you ensure that the breached PHI has been destroyed or will be returned?
  •  Third, provide the necessary notifications.  Patients must be notified no later than 60 days from when your practice knew or reasonably should have known of the breach.  To help expedite the notification process, make sure that your patient contact information remains current.
  •  Finally, review your practice’s compliance plan, training schedules, and access to PHI to help prevent a similar breach from occurring again.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com