HIPAA Privacy and Security Reminders – WellPoint OCR Settlement Agreement

HIPAA Privacy and Security Reminders – WellPoint OCR Settlement Agreement

This entry is part 5 of 10 in the series HIPAA Privacy-Security Reminders

HIPAA Privacy and Security Reminders – WellPoint OCR Settlement Agreement

What Was the Nature of the Information and How Many Individuals Were Affected?

The ePHI, including names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of 612,402 health insurance applicants was impermissibly disclosed after WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI in the database, did not perform an adequate risk analysis following a software upgrade that affected the database, and did not adequately implement technical safeguards to verify the identity of persons trying to access ePHI in the database. As a result the ePHI was exposed online for 6 months.

What Happened?

On July 8, 2013, WellPoint, an Indiana corporation, entered into a voluntary resolution agreement with the Department of Health and Human Service, Office for Civil Rights (OCR), for $1.7 million.  An investigation and the settlement resulted from a breach of electronic Protected Health Information (ePHI) that WellPoint first reported in 2010.

What is Unique About This Wellpoint OCR Settlement Agreement

Blog - WellPoint

  • First, WellPoint is not a traditional Covered Entity, but rather a holding company with interest in a number of health plans that form an Affiliated Covered Entity or ACE.  OCR found WellPoint responsible since it was the controlling entity around which the health plan affiliates formed the ACE; and that ePHI was shared between the ACE and WellPoint.  OCR’s position was supported by the facts that WellPoint employees served as the ACE’s workforce, and WellPoint developed policies and procedures on behalf of the ACE.
  • By entering into a voluntary Resolution Agreement, OCR did not have to prove jurisdiction over WellPoint, a point that should be of note to other organizations that do not fit the traditional Covered Entity model, but that do have an interest through ACEs or similar holding companies.
  • The Resolution Agreement does not contain a Corrective Action Plan (CAP), potentially saving WellPoint millions of dollars in implementing corrective actions and avoiding continued scrutiny by OCR to monitor the corrective actions. The lack of a CAP may indicate that WellPoint took sufficient mitigating action and adopted adequate security measures following its discovery of the breach.
  • In the press release announcing the Resolution Agreement, HHS noted that the case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”

What Should Organizations Do to Help Avoid Similar Scrutiny?

  • Carefully review and document the relationships among and between business associates with which they share PHI.  OCR has indicated that it will continue to enforce HIPAA Privacy and Security Rule provisions against business associates and similar entities, whether or not a business associate agreement is in place.
  • Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
  • Consider the impact of implementing changes to information systems, both before and after the changes.
  • Complete a thorough, bona fide risk analysis whenever there is a significant change to a system, to ensure that all threats, vulnerabilities and controls have been considered.

What Resources Are Available to You?

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Necessary Evil, Operational Baseline or Competitive Advantage?HIPAA Privacy and Security Reminders – Increased Risk and Consequences of Medical Identity Theft >>

Clearwater

Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Avatar
Posted in
Avatar
Clearwater
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

ocr-quality-stamp-tm-home

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro™ platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons