On July 11, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a large national health insurance company (“Company”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The HHS Office for Civil Rights (“OCR”) initiated its investigation after the Company filed a breach report as required by the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
The breach investigation indicated that the Company failed to secure an online application database containing the electronic protected health information (“ePHI”) for 612,402 individuals. The ePHI included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information. OCR’s investigation found that the Company had failed, over an extended period of time, to take necessary steps to comply with several requirements under the HIPAA Security Rule. In particular, OCR found that the Company failed to comply with HIPAA in the following ways:
- The Company failed to perform an appropriate technical evaluation in response to a software upgrade to its information systems.
- The Company did not adequately implement policies and procedures for authorizing access to the online application database.
- The Company failed to implement technology to verify the identity of the person or entity seeking access to ePHI maintained in the application database.
As a result, HHS and the Company entered into a Resolution Agreement whereby the Company agreed to pay HHS a $1.7 million settlement. Notably, the Resolution Agreement did not include a corrective action plan component, which typically requires additional compliance activities and some form of ongoing monitoring and reporting to OCR. This is yet another example of the trend toward increased enforcement under HIPAA and HITECH.
Practical Takeaways
In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Evaluating security risks and vulnerabilities regularly and particularly when there is a material change or upgrade to information systems containing ePHI;
- Ensuring that technical safeguards are in place to adequately protect patient information;
- Reviewing and revising privacy and security policies and procedures to ensure that patient information is safeguarded;
- Periodically updating privacy and security training for workforce members and ensuring that policies and procedures are distributed throughout the workforce; and
- Developing and consistently enforcing internal sanctions for workforce members that violate privacy policies and procedures.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here
If you need additional information about HIPAA and HITECH, please contact Mark Swearingen at 317-977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Special thanks to Lea Lockhart, Associate, for her assistance with the preparation of this article.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH.
