WellPoint Fined $1.7M For ePHI Disclosure

WellPoint Fined $1.7M For ePHI DisclosureThe US Department of Health and Human Services (HHS) announced last week that the managed care company WellPoint, Inc. had agreed to pay a fine of $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

Like nearly all HHS fines, this case sends a message to all HIPAA covered entities – Watch your information systems or else. Those with web applications and portals must pay heed to the warning now more than ever. Though the facts are not detailed, it appears that patient records for over 600,000 individuals were breached in the ePHI disclosure. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information. Besides the medical privacy breach, the information clearly could be used for purposes of identity theft.

The HHS Office of Civil Rights (OCR) investigation indicated WellPoint did not:

  • adequately implement policies and procedures for authorizing access to the on-line application database

  • perform an appropriate  technical evaluation in response to a software upgrade to its information systems

  • have technical  safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

The settlement seems to indicate that a system upgrade may have been responsible for the breach. In the future, the vendor (or Business Associate) may be held directly liable for breaches. Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.

The take-home message is clear – HHS penalties will be more frequent, strict and severe; especially with changes to the HIPAA rule that allow for enforcement funding and the use of the fines to fund further investigative and punitive efforts. Covered Entities (CEs) and Business Associates (BAs) need to be vigilant in their efforts to safeguard Protected Health Information (PHI) and electronic Protected Health Information (ePHI).

If you are a CE or a BA and you’re unsure how to comply with the law, we strongly encourage you to contact Thom Infotech today to learn how you can achieve HIPAA compliance.