WellPoint, Inc. (“WellPoint”), a health benefits company, recently entered into a Resolution Agreement with the Department of Health and Human Services (“HHS”), in which WellPoint agreed to pay HHS $1.7 million to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules.

In June 2010, WellPoint reported to HHS a breach of its unsecured protected health information, which resulted from WellPoint’s failure to implement appropriate administrative and technical safeguards before making changes to its information systems. Following WellPoint’s reported breach, the HHS Office for Civil Rights (“OCR”) conducted an investigation and found that from October 23, 2009 to March 7, 2010, WellPoint impermissibly disclosed the electronic protected health information (“ePHI”), including names, dates of birth, addresses, Social Security Numbers, telephone numbers, and health information, of approximately 612,000 individuals. Specifically, the OCR found that WellPoint did not:

  • Adequately implement policies and procedures for authorizing access to the online database containing ePHI;
  • Perform an appropriate technical evaluation in response to a software upgrade to its information systems; and
  • Have technical safeguards in place to verify the person or entity seeking access to ePHI maintained in its online database.

In a July press release, HHS stated that this case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” Covered entities must take steps to protect ePHI before using Web-based applications or portals.

HHS cautions that “reasonable and appropriate technical, administrative, and physical safeguards” must be in place when system upgrades are performed by covered entities or their business associates. HHS also notes that beginning September 23, 2013, “liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information.”