Data Breach Reporting Requirements for Medical Practices

February 26, 2015

The Anthem data breach illustrates the need for physicians to outline protocols in their practice to comply with new HIPAA reporting requirements.

By now, almost everyone who watches the news or reads any major newspaper has heard about the Anthem, Inc. data breach. Anthem, the nation's second-largest health insurer, is considered a covered entity under HIPAA and, in turn, must comply with the federal laws and regulations governing such entities.

On Feb. 4, the company announced that it was the target of a cyber attack that enabled hackers to penetrate its data system and access members' identifying factors and personal information including: names, dates of birth, employers, and social security numbers. In the aftermath of this announcement, class action lawsuits were filed around the country. This means that in accordance with Rule 23 of the Federal Rules of Civil Procedure, "one or more members of a class may sue or be sued as representative parties on behalf of all members" with certain conditions such as the number of claimants, commonality among questions of law and fact, as well as defenses.

The suit filed in the U.S. District Court for the Southern District of Indiana, Meadows v. Anthem, Inc., indicated that the data breach exposed the information of up to 80 million consumers. The suit alleges that people would not have obtained health insurance and relied on the representations of Anthem had they have known that their data was at risk. Hence, numerous contractual issues were raised. In light of this occurrence, physicians should evaluate the own contracts, HIPAA compliance, and what they are indicating in their attestations and assurances to patients and business partners.

The new Office of Civil Rights HIPAA breach protocol

With the upgrade to the HHS' Breach Portal, additional information is required there, too.

45 CFR §164.408 and the alterations to the Breach Portal, may impact certain entities, who are planning on submitting their 2014 breach notification reports for incidents impacting fewer than 500 people within 60 days of the end of the calendar year, pursuant to 45 CFR §164.408(c). So, what do these new report requirements entail?

• Disclosure of a "breach end date" and "discovery end date" are required.

• The "Safeguards in Place Prior to the Breach" now utilizes general categories (i.e., none and privacy rule safeguards) instead of specifics (i.e., strong authentication and encrypted wireless).

• "Actions Taken in Response to Breach" are much more detailed and included "adopted encryption technologies, security rule risk analysis, and revised policies and procedures."

It is important to note that in the event of an investigation, any identified area may be delved into in greater detail. The March 2, 2015, 60-day, deadline for reporting 2014 breaches is coming shortly. These changes are a signal that close attention should be given to HIPAA, the HITECH Act, and the related rules. It can save a lot of time, money and reputational costs.