The breach involving 80 million records at the nation’s second-largest health insurer fulfilled the warnings many have offered for years: there is no such thing as a secure electronic health information system.

Large numbers have a tendency to concentrate the minds of policymakers and consumers, so here are a few more. Before the hack at Anthem, healthcare data breaches had already affected more than 40 million Americans in just five years. In 2014, nearly four million more health records were stolen than in any previous year. And the rate of breaches keeps increasing as sophisticated criminals – often operating outside the United States – launch daily attacks on electronic health information systems using the information to commit identity theft and fraud.  

ADVERTISEMENT
There have always been people looking to make an easy buck by ripping off the system. The difference is that 20 years ago you’d have needed a small army and a fleet of tractor trailers to haul away the 80 million (paper) records that can now go poof with the click of a mouse.

For many of the same reasons we can hamper would-be terrorists but never completely prevent new attacks, some cyber criminals will always get through. When that happens – when individuals’ most personal and private information is out there for sale – we need to do a much better job mitigating and remedying the impacts.  

Anthem has been clear in its communications to the public that medical information was not part of the breach. However, the breach included plan information, which the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has previously concluded was protected health information. This is an effort by OCR to address the underlying defect in the HIPAA Privacy and Security Rules, which is that the protections do not attach to the information, but rather only apply to certain individuals and organizations and not to others.

These issues have significant impacts for large companies that are self-insured. A company that runs its own group health plan, but contracts with Anthem to administer it, is a “covered entity” under HIPAA and bears the responsibility for safeguarding the members’ protected health information (PHI).

One thing that is increasingly clear is that credit monitoring cannot effectively limit the damage from health identity theft. Victims need to know when someone is using their health information to file a claim or get treatment under their name. Credit monitoring doesn’t provide that kind of protection.

Going forward, we need to develop new policies and legislation to restore the ability of patients to protect themselves and their families. Any new law must start with privacy protections that 1) the public can comprehend and 2) the regulated industry can understand and implement with confidence. These privacy protections have to run with the information, not be dependent upon who’s possessing it. And we need much better remedies for the damages that do occur – going well beyond ineffectual credit monitoring – to ensure the public doesn’t lose confidence in the entire healthcare delivery system. 

Currently, the laws we have on the books aren’t working well, which isn’t much of a surprise, considering the chaotic “stakeholder” process under which they were developed. Any new law should start with recognition of certain priorities such as reaffirming and defining the patient’s right to privacy and should be based on standards of professional ethics, constitutional and tort law, and ensure the rights and interests of the public aren’t overridden or ignored  by health IT vendors.  

It is time we recognized that health information privacy is not just good health policy. It is also good business and good politics.

Pyles has more than forty years of experience in litigation, counseling, and lobbying in the field of health law and policy.