Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Anthem $16 million data-breach settlement may signal that the federal government is about to pick up the pace on privacy and security enforcement.
The settlement—the largest negotiated by the Health and Human Services Office for Civil Rights—comes after a 2015 data breach exposed the personal records, including Social Security numbers and birth dates, of roughly 79 million people.
Anthem agreed as part of the deal to enter into a two-year corrective action plan with the OCR, signaling the importance the office places on enterprisewide risk assessment, Thora Johnson, a health-care attorney with Venable LLP in Baltimore, told Bloomberg Law.
The corrective action plan requires Anthem to conduct a risk analysis of all electronic protected health information and provide the results to the HHS.
Risk assessments are typical in most corrective action plans, but in Anthem’s case the company must give the OCR a description of how it will conduct a risk assessment before it begins and let the agency weigh in on whether the plan is robust enough, Johnson said.
Many large data breaches were reported in 2015, so more settlements may come soon, Johnson said.
“Although it’s been a slow start to OCR enforcement this year, it may very likely be picking up,” Johnson said. This enforcement year featured a six-month stretch—March through August—during which no settlements were announced.
Other large breaches from 2015 include Premera BlueCross BlueShield and CareFirst BlueCross BlueShield.
Anthem’s size and ability to pay were undoubtedly major factors in reaching the settlement amount, but the primary reason was the lack of effective risk analysis, Eric Fader, an attorney with Rivkin Radler in New York, told Bloomberg Law.
“Unfortunately, data breaches are inevitable due to human error even when an entity has done virtually everything properly on an organizational level, but the size of this settlement sends a clear message that inattention to necessary preventive measures is a separate offense that will not be tolerated,” he said.
The OCR reached a $3.5 million settlement in February with Fresenius Medical Care North America that focused on the failure to conduct a thorough risks analysis and maintain proper security policies and procedures. The Anthem settlement should serve to hammer home the importance of assessing risk, Fader said.
“I don’t think we’ll see breaches on the Anthem scale, involving tens of millions of people’s protected health information, but it seems fair to hold these huge companies to at least the same standards, if not higher, and subject them to proportionate penalties,” he said.
The settlement was followed by the release Oct. 16 of a new OCR tool designed to improve security risk assessments for small and medium-sized medical practices, another sign of the increased focus.
The security risk assessment tool was developed and updated by the OCR in conjunction with the HHS Office of the National Coordinator for Health Information Technology.
Medical practices with as few as one provider can download the tool from the ONC’s website and get help tracking their electronic vulnerabilities.
A systemwide risk analysis is a requirement of the HIPAA Security Rule, but many health-care organizations may be skipping the step or conducting a less-than-robust assessment.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)