Covered Entities Cautioned Regarding Use of Business Associates
On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.
The breach concerned WellPoint's consumer online application database. HHS found that WellPoint failed to:
Adequately implement policies and procedures for authorizing access to the online application database containing ePHI,
Perform an appropriate technical evaluation in response to a software upgrade to its information systems and
Have technical safeguards in place to verify the person or entity seeking access to ePHI maintained in its online database.
As a result of these security deficiencies, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals whose ePHI was maintained in the online database, including: names; birth dates; addresses; Social Security numbers; telephone numbers; and health information. WellPoint did not admit liability for these actions.
Although not directly stated in the Resolution Agreement, these deficiencies seem to have been related to WellPoint's use of a subcontractor that had access to the ePHI (a HIPAA business associate). In its press release regarding this settlement, HHS cautioned that "[w]hether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of [ePHI] – especially information that is accessible over the Internet." HHS also noted that as of September 23, 2013, liability for many of HIPAA's requirements extends directly to business associates that receive or store protected health information, such as contractors and subcontractors.
The Resolution Agreement does not mention a corrective action plan agreed to by WellPoint. As soon as the situation was discovered in 2010, however, we understand that WellPoint made security changes to its database, notified all potentially affected individuals of the breach and provided credit monitoring and identity theft insurance to such individuals.
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates. Business associates that handle PHI, whether electronic or not, should also ensure strict compliance.