HIPAA Privacy and Security Reminders – WellPoint OCR Settlement Agreement
What Was the Nature of the Information and How Many Individuals Were Affected?
The ePHI, including names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of 612,402 health insurance applicants was impermissibly disclosed after WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI in the database, did not perform an adequate risk analysis following a software upgrade that affected the database, and did not adequately implement technical safeguards to verify the identity of persons trying to access ePHI in the database. As a result the ePHI was exposed online for 6 months.
On July 8, 2013, WellPoint, an Indiana corporation, entered into a voluntary resolution agreement with the Department of Health and Human Service, Office for Civil Rights (OCR), for $1.7 million. An investigation and the settlement resulted from a breach of electronic Protected Health Information (ePHI) that WellPoint first reported in 2010.
What is Unique About This Wellpoint OCR Settlement Agreement
- First, WellPoint is not a traditional Covered Entity, but rather a holding company with interest in a number of health plans that form an Affiliated Covered Entity or ACE. OCR found WellPoint responsible since it was the controlling entity around which the health plan affiliates formed the ACE; and that ePHI was shared between the ACE and WellPoint. OCR’s position was supported by the facts that WellPoint employees served as the ACE’s workforce, and WellPoint developed policies and procedures on behalf of the ACE.
- By entering into a voluntary Resolution Agreement, OCR did not have to prove jurisdiction over WellPoint, a point that should be of note to other organizations that do not fit the traditional Covered Entity model, but that do have an interest through ACEs or similar holding companies.
- The Resolution Agreement does not contain a Corrective Action Plan (CAP), potentially saving WellPoint millions of dollars in implementing corrective actions and avoiding continued scrutiny by OCR to monitor the corrective actions. The lack of a CAP may indicate that WellPoint took sufficient mitigating action and adopted adequate security measures following its discovery of the breach.
- In the press release announcing the Resolution Agreement, HHS noted that the case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”
What Should Organizations Do to Help Avoid Similar Scrutiny?
- Carefully review and document the relationships among and between business associates with which they share PHI. OCR has indicated that it will continue to enforce HIPAA Privacy and Security Rule provisions against business associates and similar entities, whether or not a business associate agreement is in place.
- Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
- Consider the impact of implementing changes to information systems, both before and after the changes.
- Complete a thorough, bona fide risk analysis whenever there is a significant change to a system, to ensure that all threats, vulnerabilities and controls have been considered.
What Resources Are Available to You?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017