HHS’s Office of Civil Rights
recently completed an enforcement action against Wellpoint. Wellpoint
suffered security breaches and settled with the Office of Civil Rights for $1.7
million. Wellpoint self-reported the breach to HHS’s, which mitigates the
penalties that it agreed to pay. The breach was leaving their database
open to unauthorized users over the Internet. There is no evidence that
the database was accessed or information utilized.
What is
unique is that the OCR has published the actual settlement agreement with
Wellpoint. From a providers point of view, the settlement shows what to avoid to be HIPAA compliant. OCR
lists the violations of HIPAA law that caused the fine.
What
this demonstrates is that it’s the “technical violation” that will get entities
into trouble. In this case, not having all the safeguards in place to safeguard
protected healthcare information (“PHI” or electronic protected healthcare
information, “ePHI”).
Quoting
from the agreement:
“2.
Factual Background and Covered ConductOn
June 18, 2010, HHS received notification from WellPoint regarding abreach
of certain of its unsecured electronic protected health information (ePHI). OnSeptember
9, 2010, HHS notified WellPoint of HHS’s investigation regardingWellPoint’s
compliance with the Privacy, Security, and Breach Notification Rules.HHS’s
investigation indicated that the following conduct occurred (“CoveredConduct”):
(1) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement policies and procedures for authorizing access to ePHI
maintained in its web-based application database consistent with theapplicable
requirements of the Security Rule.(2) WellPoint did
not perform an adequate technical evaluation in responseto
a software upgrade, an operational change affecting the security of ePHI maintained
in its web-based application database that would establish the extent
to which the configuration of the software providing authentication safeguards
for its web-based application met the requirements of the Security
Rule.(3) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement technology to verify that a person or entity seekingaccess
to ePHI maintained in its web-based application database is the one claimed.
(4) Beginning on
October 23, 2009, until March 7, 2010, WellPointimpermissibly
disclosed the ePHI, including the names, dates of birth,addresses,
Social Security Numbers, telephone numbers and healthinformation,
of approximately 612,000 individuals whose ePHI was maintained
in the web-based application database."
ACTION ITEMS
Steps That
Covered Entities Can Take to Protect Against HIPAA Enforcement
- Review
relationships and the documentation of such relationships among and
between Affiliated Covered Entities and other related entities with which
they share PHI - Revisit
risk analyses, especially following any changes to the underlying
technology - Update
policies and procedures as necessary to account for changes in technology
or practices - Continue
workforce training - Audit
ongoing programs - Monitor
security intrusions - Implement
a breach response plan