The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that WellPoint, Inc. agreed to pay $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If you are a covered entity or business associate under HIPAA, this settlement underscores the importance for HIPAA covered entities and business associates of examining all aspects of privacy and security compliance programs before a breach occurs. If you don’t, OCR will.
The OCR investigation began after WellPoint reported a breach as required under the breach notification requirements pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The investigation revealed that WellPoint failed to implement the appropriate administrative and technical safeguards required under the HIPAA Security Rule. Consequently, OCR concluded that WellPoint impermissibly disclosed electronic protected health information (ePHI), including dates of birth, addresses, Social Security numbers and health information. The disclosures involved 612,402 individuals from October 23, 2009 to March 7, 2010.
The Catch-22 effect of mandatory security breach notice requirements for PHI under HIPAA and several state breach notice laws is that compliance with these notice requirements triggers scrutiny by OCR, state regulators and the plaintiffs’ bar. The WellPoint investigation provides a clear example of this dynamic, as does HHS’s investigation of the Alaska Department of Health and Human Services (ADHHS) in 2010. There, a theft of a portable electronic storage device from an ADHHS technician led to HHS’s investigation of all aspects of ADHHS’s privacy and security programs, which HHS found to be deficient. HHS fined ADHHS $1.7 million in June 2012 and entered into a Resolution Agreement requiring ADHHS to implement entirely new policies, procedures and training.
The Wellpoint and ADHHS investigations show that HHS enforcement actions focus not only on the reported security breach but on the entirety of an entity’s HIPAA compliance program. This underscores the importance of having a strong compliance program in place before a breach occurs.