The managed care company WellPoint Inc. has reached a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. WellPoint agreed to pay $1.7 million in connection with this settlement. The OCR enforces federal standards governing the privacy of individually identifiable health information, including the standards that cover the security of electronic individually identifiable health information.
The HHS Office for Civil Rights began investigating WellPoint after it self-reported a breach consistent with its obligations under the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. OCR’s investigation indicated that, after upgrading the software it used to manage electronic protected health information (ePHI) for its plan members, WellPoint failed to adequately assess this upgraded software system and implement appropriate technical safeguards. The security of WellPoint’s web-based application was significantly weakened through this software upgrade in that the system’s authentication measures did not properly verify that the person or entity accessing ePHI maintained on WellPoint’s database was the person or entity claimed. OCR found that, as a result, from October 23, 2009 through March 7, 2010, WellPoint impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 through its web-based application. The translation of all of this is that WellPoint’s software upgrade changed the user authentication component so that unauthorized individuals could access the ePHI of 612,402 members over the Internet.
This $1.7 Million settlement was one of the largest yet in connection with an alleged HIPAA breach. The size of the settlement payment was obviously based on the number of individuals affected and the fact that ePHI was impermissibly available over the Internet.
One of the more interesting aspects of the WellPoint breach is that since WellPoint is a large managed care company, it maintains health information for the members of over 40 different health plans that it either controls or owns, including various Anthem, Blue Cross and UNICARE plans. It is this ePHI of the members of the various plans that was allegedly improperly accessed by virtue of WellPoint’s breach. The Resolution Agreement treats WellPoint and all of its member health plans and providers as a single “Affiliated Covered Entity” while acknowledging that each affiliated plan or provider is a separate covered entity. Though we may not have insight into the interplay between these various plans vis-a-vis the alleged breach, just as interesting is the way the OCR chose to treat this managed care company and its member plans in connection with their HIPAA obligations.
HHS expects that covered entities that maintain ePHI will have reasonable and appropriate technical, administrative and physical safeguards in place at all times to protect the confidentiality of ePHI, particularly where this information is accessible over the Internet. The lesson here is that HIPAA-covered entities need to re-evaluate and verify appropriate security when they make changes to their information systems, especially those offering access to consumers’ ePHI over the Internet.
This post was contributed by Kurt Bratten. You can reach me at firstname.lastname@example.org.