Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s (NY AG) investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.

Ironically, the mailings at issue were a required part of a settlement agreement from other lawsuits against Aetna first brought in 2014 and 2015. As part of those settlements, Aetna was required to mail notice to certain customers of the various options for obtaining HIV medications. Thousands of patients received the mailing from Aetna—names and addresses, and also HIV status, were visible through the clear window of the envelopes. Family, friends, roommates, landlords, neighbors, co-workers, mail carriers, or even complete strangers could see the individuals HIV status through the address window. In addition to the class action lawsuit, the NY AG launched an investigation.

Adding a HIPAA twist, the lawsuit and NY AG alleged that although Aetna sent protected health information to its outside counsel handling the matter under a HIPAA business associate agreement, neither Aetna nor its outside counsel executed a business associate agreement with the third party settlement administrator engaged to mail the notices. The settlements highlight the importance of maintaining and implementing comprehensive policies and procedures, and related trainings and audits, to prevent unauthorized disclosures of protected health information (PHI).

Class Action Settlement

The proposed agreement requires Aetna to pay almost $17.2 million into a settlement fund. In addition, Aetna agrees to develop and implement a “best practices” policy for the use of PHI in litigation. For five years, Aetna would also be required to provide annual training on this policy to in-house counsel whose primary responsibilities include managing litigation involving Aetna and to provide any updates to the policy to opposing counsel. Aetna also agrees to conduct an audit of all outside counsel handling its litigation matters to ensure the proper business associate agreements are in place.

Going forward, under the agreement, the settlement administrator in this case will take specific measures when mailing the settlement notices to class members: the envelopes containing the notice must obscure the contents of the envelope, the return address can have no identifying information other than a P.O. box, city, state and ZIP Code; and must include a statement on the front stating “Confidential Legal Information – To Be Opened Only By The Addressee.”

New York AG Investigation Settlement

In addition to the payment of a $1.15 million civil penalty, Aetna’s settlement with the NY AG requires the insurer to take steps to improve how it handles PHI in mailings. In the course of its investigation, the NY AG found information about an additional mailing privacy breach which revealed the medical condition of individuals on the outside of the mailed envelope. Aetna reported both breaches to the U.S. Department of Health and Human Services, Office for Civil Rights, as required under HIPAA.

Along with the policy for the use of PHI in litigation required under the class action settlement, the NY AG settlement requires Aetna to provide annual training and conduct a review of privacy processes and controls, including an internal audit of the implementation of a policy on the use of PHI in print and mailings. The settlement continues the trend of requiring the engagement of an independent consultant to review privacy policies and procedures and compliance with the settlement.

* * *

Covered entities’ responsibilities to safeguard PHI extend beyond technical controls. “Low-tech” breaches, including mis-directed faxes and mailing errors, continue to be a focus for privacy regulator scrutiny. Even outside the context of litigation, covered entities often use a vendor, or multiple vendors, for mailing services. Aetna’s settlements serve as reminders that organizations should have in place and continue to maintain and monitor compliance with policies and procedures to safeguard against unauthorized disclosures of PHI. With regard to vendors, covered entities should review agreements with service providers to ensure they are executing business associate agreements where required and that flow-down provisions are included.