In a continuation of its recent enforcement streak, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced two new HIPAA settlements last week. The first settlement is with Aetna Life Insurance Company and its affiliates, all of which are designated as a single affiliated covered entity under HIPAA (Aetna). The settlement resolves three HIPAA breaches that occurred within a six-month time span. The second settlement is with the Health Department of the City of New Haven, Connecticut and resolves the impermissible disclosure of protected health information (PHI) to a former employee.
In April 2017, Aetna discovered that two web services it used to display plan-related documents to health plan members had allowed documents to be accessible without login credentials and to be indexed by various internet search engines. This breach reportedly affected 5,002 individuals and the PHI disclosed included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.
In July 2017, Aetna mailed benefit notices to members using envelopes with windows to display the member’s address. Shortly after mailing the notices, Aetna received complaints that the letter could be shifted inside the envelope such that the words “HIV medication” could be seen through the envelope’s window. This impermissible disclosure reportedly affected 11,887 individuals.
In September 2017, the envelope of a research study mailing sent to Aetna plan members contained the name and logo of the atrial fibrillation (i.e., irregular heartbeat) research study in which they were participating. This impermissible disclosure reportedly affected 1,600 individuals.
After each of the breach reports Aetna submitted to HHS, OCR promptly initiated investigations which ultimately revealed various HIPAA violations. HHS alleged that Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); failed to implement procedures to verify the identity of persons or entities seeking access to ePHI; failed to limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. According to the terms of the Resolution Agreement, Aetna will pay HHS a $1,000,000 penalty and comply with a two-year Corrective Action Plan.
New Haven Health Department Breach
Following the receipt of a breach report from the New Haven Health Department, OCR conducted an investigation which revealed that on July 26, 2016, a former employee had returned to the New Haven Health Department eight days after being terminated, entered the office building using her work key, and used her still-active username and password to log in and download PHI of 498 individuals. The former employee had also shared her username and password with an intern who continued to use the credentials after the employee’s termination.
HHS alleged that the New Haven Health Department failed to implement termination procedures and access controls such as unique user identification. According to the Resolution Agreement, the City of New Haven agreed to pay a $202,400 penalty and to comply with a two-year Corrective Action Plan.
These HIPAA settlements are a reminder to covered entities that not all HIPAA breaches are electronic. Something as simple as a letter shifting inside an envelope, or the failure to confiscate an office key from a terminated employee, can contribute to the impermissible disclosure of PHI. Covered entities must consider all methods in which they maintain, transfer, and protect PHI to ensure it is kept secure and only disclosed to intended recipients.