[ Tuesday, February 10, 2015 ]
Anthem Breach: Secondary Impacts on Employers.
Jeff [10:06 AM]
One thing to think about when you hear of big insurers being subject to a data breach: in many cases, while the company usually does have a great deal of insured beneficiaries (either through direct insurance purchases or fully-insured employers), almost all have a great many more beneficiaries covered as TPAs or otherwise. For example, most Americans with private insurance are insured by employers who have self-funded insurance plans. Those self-finded insurance plans then go and hire Anthem, United Healthcare, Blue Cross Blue Shield, Cigna, Aetna, or some other entity to administer those plans, and those third-party administrators (or TPAs) are usually insurance companies themselves; that makes sense, since they must know how to administer the employer's self-funded plan if they can administer their own insurance products.
So, when an insurer like Anthem suffers a breach, many of the impacted individuals will be direct Anthem subscribers, but more will likely be beneficiaries of some employer who hired Anthem as a TPA of its self-insured plan.
Thus, in addition to pondering Anthem's fate, and what Anthem ought to do, it makes sense to also ponder what those self-insured plans and plan sponsors ought to do. Interestingly, here's an employment law boutique with a blog post
on just that. Something for employer clients of Anthem to consider, for sure, and useful thoughts for all employers with either fully-insured or self-insured/TPA plans. Additionally, it's worth it for employers to start thinking about what they would do if such a breach occurred with their own TPA.
Update: Here's another (shorter) blog post
with an additional good point: check your BAAs to see who is responsible for notifications. Of course, if you are (i) a HIPAA covered entity or (ii) a HIPAA business associate with any possible breach notification obligations, you should already have breach notification communication tools (set channels of communication, form letters, vendors chosen if not actually lined up, etc.) in place, ready to pick up and use.
Blogger: HIPAA Blog - Edit your Template