HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet

Kimberly M. Wong
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company. The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online application database which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet for almost 5 months between 2009-2010. Information accessible included names, dates of birth, Social Security numbers, telephone numbers, and health information.

In response to WellPoint’s report, OCR initiated its investigation into WellPoint’s compliance with the Privacy, Security, and Breach Notification Rules on September 9, 2010. OCR’s investigation indicated the following:

  • Contrary to its obligations under the Security Rule, WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database;
  • WellPoint failed to perform an adequate technical evaluation to ensure that safeguards were in place to meet requirements of the Security Rule for an operational change – a software upgrade – which would affect the security of ePHI maintained in its web-based application database;
  • Between October 23, 2009 until March 7, 2010, WellPoint failed to adequately implement technology to verify persons or entities seeking access to ePHI maintained in its web-based application database;
  • During the same period of time, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals maintained in its web-based application database.

Directly addressed in HHS’ press release regarding the WellPoint settlement, HHS instructs covered entities and their business associates to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI. As previously discussed on the Data Privacy Monitor, beginning September 23, 2013, liability for HIPAA violations will extend directly to business associates that receive or store PHI.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide