Anthem Data-Breach Settlement Sets Tone for Privacy Enforcement(2)

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Anthem $16 million data-breach settlement may signal that the federal government is about to pick up the pace on privacy and security enforcement.

The settlement—the largest negotiated by the Health and Human Services Office for Civil Rights—comes after a 2015 data breach exposed the personal records, including Social Security numbers and birth dates, of roughly 79 million people.

Anthem agreed as part of the deal to enter into a two-year corrective action plan with the OCR, signaling the importance the office places on enterprisewide risk assessment, Thora Johnson, a health-care attorney with Venable LLP in Baltimore, told Bloomberg Law.

The corrective action plan requires Anthem to conduct a risk analysis of all electronic protected health information and provide the results to the HHS.

Risk assessments are typical in most corrective action plans, but in Anthem’s case the company must give the OCR a description of how it will conduct a risk assessment before it begins and let the agency weigh in on whether the plan is robust enough, Johnson said.

Many large data breaches were reported in 2015, so more settlements may come soon, Johnson said.

“Although it’s been a slow start to OCR enforcement this year, it may very likely be picking up,” Johnson said. This enforcement year featured a six-month stretch—March through August—during which no settlements were announced.

Other large breaches from 2015 include Premera BlueCross BlueShield and CareFirst BlueCross BlueShield.

Inattention ‘Will Not be Tolerated’

Anthem’s size and ability to pay were undoubtedly major factors in reaching the settlement amount, but the primary reason was the lack of effective risk analysis, Eric Fader, an attorney with Rivkin Radler in New York, told Bloomberg Law.

“Unfortunately, data breaches are inevitable due to human error even when an entity has done virtually everything properly on an organizational level, but the size of this settlement sends a clear message that inattention to necessary preventive measures is a separate offense that will not be tolerated,” he said.

The OCR reached a $3.5 million settlement in February with Fresenius Medical Care North America that focused on the failure to conduct a thorough risks analysis and maintain proper security policies and procedures. The Anthem settlement should serve to hammer home the importance of assessing risk, Fader said.

“I don’t think we’ll see breaches on the Anthem scale, involving tens of millions of people’s protected health information, but it seems fair to hold these huge companies to at least the same standards, if not higher, and subject them to proportionate penalties,” he said.

Risk Assessment Tool

The settlement was followed by the release Oct. 16 of a new OCR tool designed to improve security risk assessments for small and medium-sized medical practices, another sign of the increased focus.

The security risk assessment tool was developed and updated by the OCR in conjunction with the HHS Office of the National Coordinator for Health Information Technology.

Medical practices with as few as one provider can download the tool from the ONC’s website and get help tracking their electronic vulnerabilities.

A systemwide risk analysis is a requirement of the HIPAA Security Rule, but many health-care organizations may be skipping the step or conducting a less-than-robust assessment.

Request Health Care on Bloomberg Law