WellPoint agrees to pay $1.7M in HIPAA penalties: what this tells you


The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that WellPoint, Inc. agreed to pay $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 


If you are a covered entity or business associate under HIPAA, this settlement underscores the importance for HIPAA covered entities and business associates of examining all aspects of privacy and security compliance programs before a breach occurs.  If you don’t, OCR will.


The OCR investigation began after WellPoint reported a breach as required under the breach notification requirements pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The investigation revealed that WellPoint failed to implement the appropriate administrative and technical safeguards required under the HIPAA Security Rule.  Consequently, OCR concluded that WellPoint impermissibly disclosed electronic protected health information (ePHI), including dates of birth, addresses, Social Security numbers and health information.  The disclosures involved 612,402 individuals from October 23, 2009 to March 7, 2010.    


The Catch-22 effect of mandatory security breach notice requirements for PHI under HIPAA and several state breach notice laws is that compliance with these notice requirements triggers scrutiny by OCR, state regulators and the plaintiffs’ bar.  The WellPoint investigation provides a clear example of this dynamic, as does HHS’s investigation of the Alaska Department of Health and Human Services (ADHHS) in 2010.  There, a theft of a portable electronic storage device from an ADHHS technician led to HHS’s investigation of all aspects of ADHHS’s privacy and security programs, which HHS found to be deficient.  HHS fined ADHHS $1.7 million in June 2012 and entered into a Resolution Agreement requiring ADHHS to implement entirely new policies, procedures and training. 


The Wellpoint and ADHHS investigations show that HHS enforcement actions focus not only on the reported security breach but on the entirety of an entity’s HIPAA compliance program.  This underscores the importance of having a strong compliance program in place before a breach occurs.


The HHS press release regarding the WellPoint settlement may be found here and the Resolution Agreement may be found here.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.