Back to Blog>> Anthem Unfolding: Who has regulatory authority when it comes to security audits?

Anthem Unfolding: Who has regulatory authority when it comes to security audits?

In a recent LinkedIn group discussion, there was some back and forth about an article that stated Anthem was refusing to cooperate in the security audit. What ensued was debate about what is required vs what is a good idea (particularly when you’re dealing with OPM [Office of Personnel Management] and OIG).

I, personally, was not overly surprised at Anthem’s refusal of an OIG audit. It’s not required, and while it can be positive, it can also morph into a witch hunt. OIG does not have the regulatory authority to demand an audit.

On the other hand, if OCR demanded an audit as part of an investigation, they do have the regulatory and statutory authority to investigate the breach, as well as to conduct what amounts to an audit. OCR should have been the one to demand an audit, and that may yet occur. In the end, the feds need to look to who has the authority rather than (in my humble opinion) attempt to make headlines. It will get what is needed without the consequent hoopla.

When I look at what’s happened to-date, OIG’s actions are the same to me as the eight state AGs who wrote Anthem complaining that the company wasn’t acting quickly enough to notify individuals. In fact, Anthem actually did a good job of reacting to the breach, including notifying the media and individuals. And they did notify individuals within the time allowed under the HIPAA Breach Notification Rule. Blame the USPS for at least one of the delays; they couldn’t handle the massive send.

I’m not saying an investigation of some sort is not justified. There have been a number of profile breaches of late (Target, Neiman Marcus, JP Morgan Chase, Home Depot, etc.) and the hue and cry never reached this pitch. If the government wants to conduct a careful analysis, there are ways to go about that. Demanding an audit with no authority behind it is not the way. I think Anthem did what was best for Anthem and what was in Anthem’s legal right to do.

Basically, it comes down to: If there is to be a “HIPAA” investigation, let the right (authorized) agency request it (and do it), rather than playing to the headlines.