HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet


In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company. The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online application database which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet for almost 5 months between 2009-2010. Information accessible included names, dates of birth, Social Security numbers, telephone numbers, and health information.

In response to WellPoint’s report, OCR initiated its investigation into WellPoint’s compliance with the Privacy, Security, and Breach Notification Rules on September 9, 2010. OCR’s investigation indicated the following:

  • Contrary to its obligations under the Security Rule, WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database;
  • WellPoint failed to perform an adequate technical evaluation to ensure that safeguards were in place to meet requirements of the Security Rule for an operational change – a software upgrade – which would affect the security of ePHI maintained in its web-based application database;
  • Between October 23, 2009 until March 7, 2010, WellPoint failed to adequately implement technology to verify persons or entities seeking access to ePHI maintained in its web-based application database;
  • During the same period of time, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals maintained in its web-based application database.

Directly addressed in HHS’ press release regarding the WellPoint settlement, HHS instructs covered entities and their business associates to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI. As previously discussed on the Data Privacy Monitor, beginning September 23, 2013, liability for HIPAA violations will extend directly to business associates that receive or store PHI.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.