Recent HIPAA Settlements Result from Breaches Involving Web Portals and Copy Machines
By Clay J. Countryman, Breazeale, Sachse & Wilson, LLP, Baton Rouge, Louisiana
The Department of Health and Human Services (“HHS”) recently entered into two HIPAA settlement agreements involving the disclosure of electronic protected health information (“ePHI”) by health plans that provide important HIPAA compliance lessons for all covered entities. In each case, HHS commented that the health plans failed to assess and identify the potential security risks of the particular ePHI as required by the HIPAA Security Rule1 in the breaches that resulted in the settlements, as well as failing to implement policies to address the security of the ePHI. Both settlements were subsequent to an investigation by HHS’ Office for Civil Rights (“OCR”) following the submission of a breach report to OCR, as required by the HIPAA Breach Notification Rule.2
WellPoint, Inc. $1.7 Million Settlement
On July 11, 2013 HHS announced that managed care organization WellPoint Inc. (“WellPoint”) had agreed to pay $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules relating to a breach of ePHI as a result of a software upgrade to WellPoint’s internet-based application consumer database.3 WellPoint first became aware of the breach in March 2010 when a WellPoint applicant in California filed a lawsuit notifying the company that she could access personal health data of other customers through a web portal to the application database.4
An interesting aspect in this settlement is that WellPoint is not a HIPAA covered entity. WellPoint is a holding company based in Indiana that owns or controls an interest in several health plans that comprise an Affiliated Covered Entity (“ACE”) under the HIPAA Rules.5 HHS had taken the position that WellPoint should be held responsible for the alleged HIPAA violations by these health plans because of the protected health information (“PHI”) shared between the ACE and WellPoint. The WellPoint ACE includes 45 individual health plans, most of which operate under the name Anthem, Blue Cross and/or Blue Shield and UNICARE.
WellPoint initially reported to OCR that 31,700 individuals were affected by the breach. However, WellPoint subsequently determined that the breach of consumers’ ePHI affected 612,404 individuals. In its investigation, OCR determined that WellPoint did not adequately:
- Implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the requirements of the HIPAA Security Rule;
- Perform an appropriate technical evaluation response to a software upgrade, which affected the security of ePHI maintained in WellPoint’s internet-based application database; and
- Implement technology to verify the identity of a person or entity seeking access to ePHI maintained in WellPoint’s internet-based application database.
As a result, OCR concluded that WellPoint impermissibly disclosed the ePHI of individuals maintained in WellPoint’s internet-based consumer application database, which included individual names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
Affinity Health Plan, Inc. $1.2 Million Settlement
On August 14, 2013 HHS announced6 that Affinity Health Plan, Inc. (“Affinity”) agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780 resulting from the breach of ePHI that was left on the hard drives of copy machines leased by Affinity. Affinity, a managed care plan in the New York metropolitan area, had filed a breach report with OCR after a representative of the CBS evening news (“CBS”) informed Affinity of the ePHI on the hard drives on copy machines purchased by CBS that were previously leased to Affinity.
The OCR investigation of the breach reported by Affinity determined that Affinity impermissibly disclosed the ePHI of 344,579 individuals when Affinity returned several copy machines to leasing agents without erasing the data contained on the copier hard drives. OCR also determined that Affinity failed to incorporate the ePHI stored on the copy machines’ hard drives in Affinity’s analysis of the risks to its ePHI, and that Affinity failed to implement policies and procedures that address returning the leased copy machines which contain ePHI.
One of the important lessons from the Affinity settlement for covered entities is summarized in OCR’s comment that covered entities should make sure that all personal information is wiped from hardware before equipment is recycled, thrown away or sent back to a leasing agent.
Resolution Agreement and Corrective Action Obligations
The WellPoint Resolution Agreement did not include a Corrective Action Plan (“CAP”) similar to other resolution agreements between HHS and other covered entities.7 WellPoint most likely was not required to enter into a CAP, under which it may have incurred considerable obligations and costs, because OCR may have considered WellPoint to have taken sufficient mitigating actions and adopted adequate security measures to address the particular breaches from access to ePHI on WellPoint’s internet-based consumer application database.
The Affinity Resolution Agreement8 and CAP included several obligations that other covered entities should consider incorporating into their own HIPAA compliance plans to address ePHI stored on the hard drives of copy machines and other owned or leased equipment. Specifically, the CAP required Affinity to:
- Retrieve all photocopier hard drives contained in photocopiers previously leased by Affinity that remain in the possession of the leasing company, and safeguard all ePHI contained in the hard drives from any impermissible disclosures. If Affinity is unable to retrieve any of the hard drives, Affinity is required to provide OCR with documentation explaining its “best efforts” to obtain the hard drives and the reasons it was not able to retrieve any hard drives.
- Conduct a comprehensive risk analysis of the ePHI security risk and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by Affinity. Affinity was also required to develop a plan to address and mitigate any security risk and vulnerabilities found in this analysis and, if necessary, revise any of its present policies and procedures.
The WellPoint and Affinity HIPAA settlements contains both a compliance framework for covered entities that utilize an internet-based web portal to receive or allow access to ePHI of individuals, and a reminder to address security risks for ePHI stored or maintained on equipment. The significance of these settlements is highlighted in HHS’ comment in the WellPoint press release that “this case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” The Affinity settlement serves as an important reminder of the potential liability to HIPAA covered entities from the improper disclosure of an individual’s ePHI on electronic equipment such as photocopiers and the importance of addressing the risk of such an improper disclosure in a risk analysis conducted by a covered entity.
These cases highlight the potential liability for Covered Entities to improper disclosure of an individual’s ePHI in different aspects of their operations, such as copy machines and web portals. It is not clear if this is an enforcement trend, but a message has been sent by OCR to the healthcare industry to ensure that all potential areas where ePHI may be stored or accessed should be addressed in an entity’s HIPAA compliance efforts.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.