Employer FAQs: Responding to the Anthem Breach

Originally posted February 10, 2015 by Joseph J. Lazzarotti of Jackson Lewis LLC, an United Benefit Advisors (UBA) Partner Firm on www.workplaceprivacyreport.com.

The first massive data breach of 2015 hit one of the country's largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem's CEO, Joseph R. Swedish, and the Anthem Facts or FAQs seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). Below are some FAQs about the Anthem breach for affected employers.

Isn't this really Anthem's problem?

From a legal compliance standpoint, the answer largely depends on whether the plan is insured or self-funded. For example, as discussed below, in the case of a self-funded group health plan, the HIPAA breach notification rules place the obligation to notify affected persons on the covered entity (i.e., the plan, and practically the plan sponsor) and not on the business associate (i.e., the TPA). However, contract obligations in the business associate agreement (or administrative services only agreement) have to be considered. Finally, as a practical matter, because employees and other persons covered under the plan(s) will be concerned and have questions, employers will need to have a strategy for addressing those concerns.

Is the information involved subject to HIPAA; the Anthem FAQs say Anthem does not believe diagnosis or treatment information was compromised?

According to the Anthem FAQs:

... the member data accessed included names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses and employment information...[but its] investigation to date indicates there was no diagnosis or treatment data exposed.

Many maintain the mistaken belief that, in the case of a group health plan, a covered person's name and Social Security number, alone, is not "protected health information" (PHI) under the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The absence of diagnosis or treatment data does not make information any less PHI. This is because the regulatory definition includes not only information about a person's physical or mental health condition, but also how care is paid for and provided. Thus, data elements that relate to the payment or provision of health care, such as address and email address, could constitute PHI even if not as sensitive as a covered person's diagnosis information.

What about the state breach notification laws, do they apply?

The Anthem breach involves personal information of individuals, such as names, member ID/Social Security numbers and other data, the kind of information protected by state breach notification laws, which currently exist in 47 states. Given the massive scale of the breach, it is likely that there are affected individuals residing in all 50 states and beyond.

Some of those state laws have exceptions when HIPAA or other federal regulations apply. Some do not. According to the Anthem FAQs, all product lines have been affected, not just health insurance (medical, dental and vision). This includes life, disability, workers' compensation and other policies and products which typically are not subject to HIPAA. Thus, regardless of the Anthem policy or product at issue, the applicable state laws will need to be considered to determine their application in this case.

Our plan is/was insured by Anthem, what should we be doing?

Under HIPAA, both the employer's group health plan under ERISA and the health insurance issuer that provides the insurance for that ERISA plan are covered entities under HIPAA. Covered entities have the primary breach notification obligations. Under state breach notification laws, the primary notification obligation generally falls on the entity that owns or licenses the data, not necessarily the entity that held the data at the time of the incident. However, in the case of a breach experienced by an insurer, and not the employer sponsoring the plan, the insurer generally is considered to be responsible for responding to the breach. Even if not entirely clear in the applicable statutes or regulations, this makes practical sense because the carrier is in control of the investigation and the facts, and usually is in the best position to work with law enforcement. Carriers can typically disseminate notifications more efficiently across the affected policies, as well as to federal and state agencies, and the media.

To date, Anthem appears to be taking the lead on the investigation and notifying affected persons. For example, its FAQs inform members that they can expect to "receive notice via mail which will advise them of the protections being offered to them as well as any next steps". Because this incident affects both HIPAA-covered and non-HIPAA plans, it is likely the notices will address the applicable HIPAA and state law requirements.

Still, there are some action items for affected employers to consider:

  • Stay informed. Closely follow the developments reported by Anthem, including coordinating with your benefits broker who might have additional information.
  • Consult with counsel. Experienced counsel can help employers properly identify their obligations and coordinate with Anthem as needed.
  • Communicate with employees. Be prepared to respond to employee questions -- consider providing a short summary of the incident to employees along with links to the Anthem materials and FAQs.
  • Evaluate vendors. Use this incident as a reason to examine more closely the data privacy and security practices of all third party vendors that handle the personal information of your employees and customers, including insurance companies. Of course, a data breach is generally not a reason, by itself, to switch vendors. With breaches of all sizes affecting many companies, there is no telling whether the grass will be greener. But making inquiries and pressing vendors to do more, including by contract, is a prudent course of action, and even required in some states.
  • Revisit your own data security compliance measures. Employers should take this as an opportunity to assess or reassess their own data security compliance measures. As many have noted, it is not just large companies that are vulnerable to these kinds of attacks.

Our plan is/was self-insured and Anthem was our TPA, what should we be doing?

In this case, whether the plan is a health plan covered by HIPAA or another employee welfare benefit, as TPA, Anthem maintains the personal information of covered persons on behalf of the employer. In that case, Anthem's legal obligations under HIPAA and state law, as applicable, generally require only that it notify the employer concerning the circumstances of the breach -- how it happened, the kind of information breach, who was affected, etc. Then it is up to the employer/covered entity to carry out an appropriate investigation, provide notice to affected persons and otherwise comply with the applicable federal and state laws. However, administrative service agreements and in the case of health plans, business associate agreements, may delegate some of these responsibilities to the TPA, as well as indemnification obligations. So, in addition to some of the steps listed above, employers have a number of things to consider and steps to take:

  • Determine if plans have been affected. Employers might soon be receiving communications from Anthem concerning whether their plans have been affected. They also may want to reach out to Anthem and inquire.
  • Act quickly. HIPAA and state breach notification laws generally require that notices be provided without unreasonable delay, as well as place outside limits on when such notices can be provided -- e.g., 60 days following discovery under HIPAA, and 30 days in Florida.
  • Examine the administrative services agreement and/or business associate agreement. For plans that have been affected, employers need to review the related agreements as they could place certain obligations either on the employer or Anthem. The agreements also could be silent, in which case the plan/employer likely has the obligations to notify participants, agencies and media.If Anthem is responsible for responding, employers should consider taking certain steps to ensure Anthem's reaction is compliant -- e.g., has it protected data from further attacks, completed the investigation, identified all affected persons, crafted content-compliant notifications (HIPAA and some state laws have specific content requirements), and notified the applicable federal and state agencies.

    If the employer retained the responsibility to respond, it should be taking steps immediately to determine what happened and coordinate with Anthem concerning the response. This includes some of the steps listed above. For instance, in the case of group health plans under HIPAA, employers will need to confirm with Anthem whether Anthem or the employer/group health plan will be notifying the Department of Health and Human Services. Also, employers that have developed a data breach response plan (a good idea for all employers) should review that plan and follow it.

    However, as a practical matter and regardless of what is in the services agreement, Anthem may decide to take the lead on the response, and not give employers much choice in shaping the communications made to persons covered under the plans.

  • Communicate with covered persons. If it turns out that the employer will be notifying plan participants, in addition to the notification letters referred to above, employers also need to be prepared to address participant questions about the incident. Designating certain individuals or outside vendors to handle these questions and creating a script of anticipated questions and answers would facilitate a consistent and controlled response.
  • Evaluate insurance protections. Some employers may have purchased "cyber" or "breach response" insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. Employers should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.
  • Document steps taken. Employers should document the steps they take to investigate and respond to the incident, particularly if it affects one of their group health plans covered by HIPAA.

Some employees have complained about our data security practices, how should we respond?

Take them seriously! Data security has been recognized at the federal, state and local levels as an important public policy concern, most recently by President Obama at the recent State of Union Address. Disciplining or taking adverse action against an employee who has raised these concerns could expose the employer to retaliation claims or violations of employee whistleblower protections.

 

For employers large and small, incidents like this can be a significant disruption to the workforce. To minimize that disruption, employers may want and need to communicate with their employees, and should do so confidently, but carefully. More information can be very helpful, but too much information and information that is repetitive can be confusing and frustrating for employees. Employers should involve key persons inside their organizations and possibly seek outside expertise and counsel to reach an appropriate balance in their response strategy and communications.

Download a copy of this article here.


'Smart' Seat Could Reduce Whiplash Injuries

Originally posted on August 25, 2014 on The Globe and Mall.

Researchers at the University of British Columbia (UBC) are working to create a car seat system that can mitigate the effect of whiplash enough to significantly reduce the risk of injury from low-speed rear-end collisions. In the United States, the Insurance Institute for Highway Safety (IIHS) estimates that more than $8.8-billion (U.S.) is paid out annually for whiplash injuries, accounting for 25% of the total spent for all crash injuries.

The economic and social strain caused by these soft tissue injuries was an impetus for Daniel Mang, a kinesiology student at UBC, to develop an active "smart seat" that responds to the pulse created during a collision, and automatically adapts and adjusts the seat on impact to lessen the effect on the head and neck. Mang says that the smart seat has more time to adjust (than an airbag), so it would rely on technology similar to the airbags to sense the collision and adapt the seat in response to accelerometers (that can estimate how much you weigh.)

To see the full article, go to:www.theglobeandmail.com/


Just Say 'No' to Co-Workers' Halloween Candy

Originally posted on  October 14, 2014 by Josh Cable on ehstoday.com.

Workplace leftovers might seem like one of the perks of the job. But when co-workers try to pawn off their Halloween candy on the rest of the department, it's more of a trick than a treat.

Those seemingly generous and thoughtful co-workers often are just trying to keep temptation out of their homes.

"Not only does candy play tricks on your waistline, but it also turns productive workers into zombies," says Emily Tuerk, M.D., adult internal medicine physician at the Loyola University Health System and assistant professor in the Department of Medicine at the Loyola University Chicago Stritch School of Medicine.

"A sugar high leads to a few minutes of initial alertness and provides a short burst of energy. But beware of the scary sugar crash. When the sugar high wears off, you'll feel tired, fatigued and hungry."

Tuerk offers a few tips to help you and others on your team avoid being haunted by leftover candy:

  • Make a pact with your co-workers to not bring in leftover candy.
  • Eat breakfast, so you don't come to work hungry.
  • Bring in alternative healthy snacks, such as low-fat yogurt, small low-fat cheese sticks, carrot sticks or cucumber slices. Vegetables are a great healthy snack. You can't overdose on vegetables.
  • Be festive without being unhealthy. Blackberries and cantaloupe are a fun way to celebrate with traditional orange and black fare without packing on the holiday pounds. Bring this to the office instead of candy as a creative and candy-free way to participate in the holiday fun.
  • If you must bring in candy, put it in an out-of-the-way location. Don't put it in people's faces so they mindlessly eat it. An Eastern Illinois University study found that office workers ate an average of nine Hershey's Kisses per week when the candy was conveniently placed on top of the desk, but only six Kisses when placed in a desk drawer and three Kisses when placed 2 feet from the desk.

And if you decide to surrender to temptation and have a treat, limit yourself to a small, bite-size piece, Tuerk adds. Moderation is key.


Knowing Your Cyber Risks

Originally posted October 20, 2014 on www. Travelers.com.

To better understand the unique risks facing companies today, Travelers recently launched the Travelers Business Risk Index, a survey of business leaders from organizations of all sizes and industries. With repeated news of data breaches arising in the media, it is no surprise that American businesses large and small agree that technology-related dangers are among their top risks.

The survey polled more than 1,100 business decision makers to better understand what they believe poses the gravest threat to their business. Many leaders reported the risks they identified as their biggest concerns are also the issues their businesses are least prepared to address.

In fact, more than half (53 percent) of business leaders cited computer, technology and data-related risks as a major concern, with a particular focus on computer viruses and hacking. The top four risks survey respondents reported keeping them up at night are:

  • Viruses infecting computer systems;
  •  Security breaches by a hacker
  • Unrecoverable loss of the stored data
  • Potential theft or loss of customer and client records.

With thoughtful planning, businesses can prepare for and often avoid these risks. Some quick and easy steps a business can take include:

  • Working with an independent agent to ensure all manageable exposures are covered.
  • Ensure that employees are exhibiting behaviors that limit cyber risks.
  • Utilizing resources such as Travelers.com/cyber to help understand and navigate the growing threat of cyber risks.

The amount of coverage a business or organization needs depends on its level of risk. Travelers understands the complexity of cyber threats and has solutions to help protect businesses of all sizes, across all industries. To learn more, talk to your independent agent or visit Travelers.com/cyber.


Retention Starts Day One

Originally posted May 12, 2014 by Stephen Bruce (PhD, PHR) on http://hrdailyadvisor.blr.com.

Retention’s going to be key for many organizations as the economy improves—your best people are going to be testing the water and your toughest competitors are going to be looking for them.

There’s Nothing I Can Do

Many managers have the attitude “I wish management would do something about retention.” That’s the first thing to correct—it’s every manager’s and supervisor’s job to work on retention. They should realize that it’s for their own good. Turnover (of good people) is their department’s most debilitating disease.

First of all, it eats away at the manager’s personal productivity—job requisitions, postings, interviews, reference checks, and training suck up a lot of valuable time.

Second, turnover is a morale killer. Everyone else has to pitch in and get the job done while the position is vacant. And then there’s the inevitable, “Why are all our good people leaving? What do they know that I don’t know? Should I start putting together my résumé?”

Retention Starts Day One … and Continues Every Day

Managers and supervisors who have great retention rates share several behaviors: They think of their employees as customers; they recruit every day; and they remember that their actions are always on display.

Employees Are Customers

How far would you go to retain a good customer? Make sure you put that level of interest in retaining your employees.

  • What do they care about?
  • Do they understand their contribution and do you show that you value that contribution?
  • What can you do today to make sure you retain them as a customer?

Recruit Every Day

As the saying goes, better recruit your best people every day … your competitors are. Try to avoid that oft-referenced situation where managers and supervisors spend 80 percent of their time on the poorest-performing 20% of their employees.

You Are on Display

Your actions speak louder than any policy or handbook declaration. “Our employees are our most valuable asset” sounds good on paper. Do you live up to that premise in your day to day dealings with employees?

You Have a Road Map

During the interviewing process, you found out about the new employee’s aspirations and expectations. And you probably made a few promises about the future as well. Together, those lists will help you build a retention road map for that employee.

Onboarding

Too many managers think that onboarding is something HR does with new employees the first day to get them signed up for benefits.

Onboarding is the first step in retention—get it right.

To be effective, onboarding is an involved process that lasts weeks or months. There are business methods and approaches to be learned, contacts to be made with key players in different departments, and various assimilation activities that help the new person be comfortable and contributing.

Remember that new employees are often reluctant to ask for help, so keep careful tabs on their work. Consider assigning a “buddy.”

A recent survey conducted by BambooHR shows the following often overlooked factors in an effective onboarding process:

  • Receiving organized, relevant, and well-timed content
  • On-the-job training
  • Assignment of an employee “buddy” or mentor
  • Having the onboarding process extend beyond the first week

When it comes to which aspects truly matter to employees starting a job, free food and perks are not what they crave. They want an onboarding process that helps them reduce the learning curve in becoming an effective, contributing team member.


Fast-rising medical ID theft hits employers hard

Originally posted May 22, 2014 by Alan Goforth on www.benefitspro.com.

About the last thing companies dealing with the complexities of implementing Obamacare need right now is to have the security of their employees’ medical information compromised. However, statistics show that is exactly what is happening.

“Medical identity theft is a rapidly spreading malady, often by organized-crime rings,” said James Quiggle, spokesman for the Coalition Against Insurance Fraud, a nonprofit alliance of carriers, consumer groups and government agencies in Washington, D.C. ”Data breaches in this era of digital record-keeping can drain businesses and make employee records as vulnerable as patients.”

More than 1.8 million Americans were victims of medical identity theft in 2013, a crime that is increasing at an annual rate of 32 percent. This makes it the fastest-growing type of identity theft, according to the Identity Theft Resource Center in San Diego.

Medical ID theft is already a multibillion-dollar industry. For the fiscal year ending Sept. 30, 2013, the federal government alone recovered a record $4.3 billion from people and companies that attempted to defraud health-care programs, according to the U.S. Department of Justice and the U.S. Department of Health and Human Services.

Stealing enough personal information to purchase services or devices is not difficult for a sophisticated identity thief, said Drew Smith, founder and CEO of Scottsdale, Ariz.-based InfoArmor (pictured at left). His company has provided B-to-B clients with protection against various types of ID theft since 2007.

“You can go online and readily purchase someone’s basic identity information for about $50,” he said. “You usually don’t need a lot of identification to receive medical care. Most identity thieves are not using it for primary care. It’s going for things such as medical devices, prescription drugs or other areas where there is less likely to be a personal relationship with the provider.”

Hidden employer costs

Statistics rarely account for the hidden cost of lost productivity when an employee has been victimized. Dealing with the fallout can be a painstaking, time-consuming process. The average medical identity theft loss is $22,346 – six times higher than financial identity theft. Also, on average, it takes victims more than a year to clear up medical records and repair any damage to their credit.

“Employees have to deal with identity theft issues immediately, which requires time off work and lost productivity, because some banks and agencies may be open only on work days,” Smith said. “Most medical ID thefts go undetected for a year. It’s not like credit card fraud, where you usually are notified quickly if someone tries to use a stolen card. Because of the way medical records are stored, they are extremely fragmented and hard to fix when you find out. That’s why reducing the risk of medical identification theft can help a business’s bottom line.”

Employers may be surprised to learn that medical identity theft may be as likely to occur from within their organization as from outside.

“Fifty percent of medical ID claims are considered `friendly fraud’,” Smith said. “For example, an employee’s brother may be out of work and they allow him to use their insurance card, or a family member borrows it without permission.”

Best defenses

Although eliminating medical ID theft may be impossible, businesses do have effective options to significantly reduce risks and quickly detect breaches. “Managers must implant internal controls and train employees to harden their protection of personal data,” Quiggle said. “Protocols to protect against insider theft are especially important.”

One of the most successful defenses costs nothing to implement.

“The No. 1 thing to emphasize with employees is to be smart about their user names and passwords,” Smith said. “Many people use the same ones for multiple sites, such as health care, banking and payroll information. Identity thieves are pretty adept at stealing credentials and often use them to steal from more than one account.”

Early notification of security breaches also is critical. “Timeliness is key,” he said. “Most explanations of insurance benefits don’t come for 30 to 90 days, but we can provide real-time alerts.”

Companies such as InfoArmor can provide several levels of protection. “The entry level (service) is monitoring personal and insurance carrier information,” Smith said. “We can alert employees daily to a potential compromise of their information online.”

The next level is to search the Internet and other networks for employees’ potentially exposed medical information that may be bought or sold. InfoArmor’s service providers also evaluate medical professionals who submit claims.

“We are able to do scoring behind the scenes to identify doctors with a record of fraudulent claims who may present a high risk,” Smith said. “Finding these fraudulent doctors often is like looking for a needle in a haystack, but we can help make the haystack much smaller.”

InfoArmor is testing a new service that it calls ID Verification, which uses information from dozens of public record databases to enable providers to confirm a patient’s identity before services are administered.

“The newest services are the most employee-focused,” Smith said. “We can determine which employees have a greater inherent risk and monitor their claims data daily. We look for certain flags, such as care being received farther from home, durable medical equipment being purchased in their name or a high volume of paperwork over a short period of time. We then can issue an alert. And we are careful to do everything in a HIPPA-compliant manner.”

Smith said it is still too early to judge the potential impact of the Patient Protection and Affordable Care Act (PPACA) on the incidence of medical identity theft. But for employers seeking ways to reduce medical identity theft and its repercussions on employees, the best offense is a good defense.

“Don’t believe people who try to tell you they can prevent identity theft, because they probably are lying,” he said. “Because theft is not going away, the solution is to detect digital crimes faster.”