Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of our phones or computers before they are disposed, donated, or recycled.

A recent HIPAA settlement offers a costly reminder that other types of office equipment we use regularly have similar hard drives capable of storing confidential personal information.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail

On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form;  and (3) provides

As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health Information (“PHI”).  While the material is focused on health care professionals, the information is also applicable to group health plan professionals and their business associates who use mobile devices to store and transmit PHI in connection with administration of group health plans.

On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”).  OCR described the guidance document as a culmination of two years of work by “stakeholders with practical, technical and policy experience in de-identification.”  OCR also acknowledged that the guidance implements many of the issues and topics that were raised during an OCR workshop held in Washington, DC on March 8-9, 2010.

As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act  of 1996 (“HIPAA” or “Privacy Rule”) protects individually identifiable health information held by “covered entities.” The information protected is referred to as protected health information or PHI. The Privacy Rule permits covered entities to disclose PHI for a variety of purposes including to (a) treat patients; (b) identify, locate and notify family members, guardians, or anyone else responsible for an individual’s care; (c) obtain the services of disaster relief agencies; (d) conduct public health activities; and (e) prevent or lessen serious and imminent threats to health or safety.