Recently, a national BlueCross BlueShield affiliate, Anthem, Inc., discovered that its information technology systems was hacked. The information believed to have been accessed includes names, member ID numbers, dates of birth, addresses, social security numbers, e-mail addresses, telephone numbers, and employment information, including income data. Many local school districts’ group health plans were affected by this breach because it not only affected group health plans directly insured or administered through Anthem, but also plans that utilize the BlueCross BlueShield “BlueCard” program.
If a school district’s health plan has been notified by BlueCross BlueShield or Anthem that their participants’ information was disclosed, the district must take immediate action to comply with the HIPAA breach notification requirements. This includes notifying affected individuals, the Department of Health and Human Services, and, in some cases, local media. In addition to the federal HIPAA notice requirements, if the disclosed information includes an individual’s social security number, the school district must also notify three state agencies as required under the New York State Technology Law. Failure to comply with these notice requirements in a timely manner could subject a school district to significant penalties. Once the notice requirements have been fulfilled, districts should review and update their HIPAA compliance documents (e.g., HIPAA Privacy & Security Policies, Business Associate Agreements, HIPAA Notice of Privacy Practices, training log, etc.) in preparation for a potential audit.