This entry is part 22 of 26 in the series HIPAA Privacy-Security Reminders

HIPAA Privacy and Security Reminders – WellPoint OCR Settlement Agreement

What Was the Nature of the Information and How Many Individuals Were Affected?

The ePHI, including names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of 612,402 health insurance applicants was impermissibly disclosed after WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI in the database, did not perform an adequate risk analysis following a software upgrade that affected the database, and did not adequately implement technical safeguards to verify the identity of persons trying to access ePHI in the database. As a result the ePHI was exposed online for 6 months.

What Happened?

On July 8, 2013, WellPoint, an Indiana corporation, entered into a voluntary resolution agreement with the Department of Health and Human Service, Office for Civil Rights (OCR), for $1.7 million.  An investigation and the settlement resulted from a breach of electronic Protected Health Information (ePHI) that WellPoint first reported in 2010.

What is Unique About This Wellpoint OCR Settlement Agreement

Blog - WellPoint

  • First, WellPoint is not a traditional Covered Entity, but rather a holding company with interest in a number of health plans that form an Affiliated Covered Entity or ACE.  OCR found WellPoint responsible since it was the controlling entity around which the health plan affiliates formed the ACE; and that ePHI was shared between the ACE and WellPoint.  OCR’s position was supported by the facts that WellPoint employees served as the ACE’s workforce, and WellPoint developed policies and procedures on behalf of the ACE.
  • By entering into a voluntary Resolution Agreement, OCR did not have to prove jurisdiction over WellPoint, a point that should be of note to other organizations that do not fit the traditional Covered Entity model, but that do have an interest through ACEs or similar holding companies.
  • The Resolution Agreement does not contain a Corrective Action Plan (CAP), potentially saving WellPoint millions of dollars in implementing corrective actions and avoiding continued scrutiny by OCR to monitor the corrective actions. The lack of a CAP may indicate that WellPoint took sufficient mitigating action and adopted adequate security measures following its discovery of the breach.
  • In the press release announcing the Resolution Agreement, HHS noted that the case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”

What Should Organizations Do to Help Avoid Similar Scrutiny?

  • Carefully review and document the relationships among and between business associates with which they share PHI.  OCR has indicated that it will continue to enforce HIPAA Privacy and Security Rule provisions against business associates and similar entities, whether or not a business associate agreement is in place.
  • Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
  • Consider the impact of implementing changes to information systems, both before and after the changes.
  • Complete a thorough, bona fide risk analysis whenever there is a significant change to a system, to ensure that all threats, vulnerabilities and controls have been considered.

What Resources Are Available to You?

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Increased Risk and Consequences of Medical Identity TheftHIPAA Privacy and Security Reminders – Necessary Evil, Operational Baseline or Competitive Advantage? >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.