The theft of the personally identifiable data of 80 million policyholders of Anthem Blue Cross and Blue Shield from the company’s database pinpoints a flaw in federal privacy standards, which do not require data encryption but merely encourage it.

Under the Health Insurance Portability and Accountability Act (HIPAA), all personal health information (PHI) of a policyholder must be secured and held private, but the law and its two standards — the HIPAA Privacy Rule and the HIPAA Security Rule — do not mandate encryption of data. Encryption is encouraged but not required.

Breaches of more than 500 records have to be made public. The Anthem breach of 80 million persons’ insurance records doubles the number of previously reported individual breaches.

If you own or operate a small to medium-sized business, managing all your employees plus meeting federal labor laws and regulations can be daunting, especially with new rules being issued all the time. To help you understand your rights and responsibilities in every facet of running a business, please order a copy of Personnel Concepts’ All-On-One HR Compliance Program for Small Businesses.