WELLPOINT PAYS $1.7 MILLION FOR HIPAA BREACH

On July 11, the U.S. Department of Health and Human Services announced that health insurer Wellpoint Inc. has agreed to pay the sum of $1.7 million to settle claims that it violated the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). An improperly secured online database caused the electronic protected health information (ePHI) of 612,402 Wellpoint customers to be potentially vulnerable to unauthorized access, although the company said that it did not believe that any fraud or identity theft had occurred due to the breach.

WellPoint had self-reported the breach to HHS in 2010. In its investigation, HHS determined that Wellpoint had failed to:

  • adequately implement policies and procedures to authorize access to the online database,
  • perform an appropriate technical evaluation in response to a software upgrade to its information systems, or 
  • have technical safeguards in place to verify the person or entity seeking access to the ePHI maintained in the database.

In its statement, HHS said, “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”

WellPoint's settlement is the latest in a series of recent similar payments arising out of data breaches by covered entities under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which made HIPAA’s requirements directly applicable to “business associates” of covered entities.

CMS ANNOUNCES INITIAL PIONEER ACO RESULTS

On July 16, the Centers for Medicare & Medicaid Services (CMS) announced the results of the first performance year of the Pioneer Accountable Care Organization (ACO) program. The ACO model, established under the Affordable Care Act (ACA), is intended to encourage healthcare providers, including physicians, hospitals, insurers and others, to coordinate care to improve results and save money. ACO participants in the Medicare Shared Savings Program can receive a portion of the cost savings they achieve. The Pioneer model, designed for organizations that already have experience offering coordinated care, allows participating ACOs to receive a greater share of the savings achieved, in exchange for assuming more risk. Further discussion of ACOs may be found here.

CMS’s report stated that all 32 ACOs in the Pioneer program were able to improve the quality of care delivered, but only 13 of them were able to reduce costs sufficiently to be entitled to share in the cost savings. Two Pioneer ACOs, whose spending for care increased relative to their benchmark amounts, will owe Medicare $4 million.

CMS said that seven of the Pioneer ACOs intend to shift to the Medicare Shared Savings Program, in which they can assume a lower level of risk (or no risk), and two other Pioneers intend to withdraw from the ACO program entirely.

CMS RELEASES FINAL RULE ON “NAVIGATORS”

On July 12, CMS released a final rule outlining requirements applicable to “navigators” who will help consumers purchase health insurance in the insurance exchanges, or “marketplaces,” to be established under the ACA. The rule will apply to the “federally-facilitated” exchanges operated by states by the federal government, as well as to those exchanges operated in state-federal partnerships. Exchanges operated entirely by states will havethe option to use the new guidance or develop their own rules regarding navigators.

The rule, which finalizes two rules proposed earlier this year, sets forth training requirements, conflict of interest standards, and standards for serving disabled or non-English speaking consumers. In addition, the rule prohibits anyone who receives compensation directly or indirectly from an insurer in connection with enrollment in a health insurance policy from serving as a navigator.