The Department of Health and Human Services (HHS) has announced a settlement with an insurance holding company involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The company will pay $3.5 million to settle the potential violations and must adopt a corrective action plan that includes training for its workforce members.
Improperly accessed restricted areas of the subsidiary's proprietary internet database.
Gained access to electronic PHI housed in the database, which included employees' names, contract numbers, home addresses, diagnostic codes, and treatment codes.
The former employees were able to access the database because their access rights had not been terminated after they left the subsidiary's employment.
Second, in separate incidents, vendors of two of the company's subsidiaries disclosed PHI of the subsidiaries' Medicare Advantage beneficiaries on the outside of pamphlets mailed to the beneficiaries. The disclosed PHI included the individuals' names, mailing addresses, and health insurance claim numbers. Disclosure of the PHI to the vendors for mailing purposes occurred without a HIPAA business associate agreement (see Standard Documents, HIPAA Business Associate Agreement and Business Associate Policy).
Third, a former employee of a HIPAA business associate of two of the subsidiaries copied individuals' electronic PHI onto a CD, which he then:
Took home for an unknown period of time.
Downloaded onto a computer at his new employer.
The electronic PHI contained individuals' enrollment information, including their:
Names, contract numbers, and home addresses.
Social Security numbers and dates of births.
Health insurance claim numbers.
Finally, a subsidiary reported to HHS that its enrollment staff placed the incorrect member ID cards in mailing envelopes, and individuals therefore received member ID cards belonging to other individuals. The disclosed PHI included individuals':
Names and ID numbers.
Benefit packages and effective dates.
Copayment and deductible information, and contract numbers.
In addition, the following incidents affected fewer than 500 individuals:
One of the company's subsidiaries disclosed PHI consisting of individuals' health plan identification numbers, which were placed on labels used for a mailing.
A mailing to individuals included PHI for other members on the backs of the individuals' letters, which included:
individuals' names; and
the names of preventive health tests that had been recommended for the individuals.
Corrective Measures
Under its resolution agreement with HHS, the company must:
Perhaps given the scope of the unauthorized access and disclosures involved in this enforcement action (and the severity of the $3.5 million payment), HHS' resolution agreement with the company includes detailed requirements focused on HIPAA training (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Among other steps, the company must:
Timely provide HHS with its HIPAA privacy, security, and breach notification training materials.
Make required changes to the training materials in light of HHS's review.
Provide training, using the HHS-approved training materials, to all workforce members:
within 60 days of HHS's approval; and
every twelve months after that.
Obtain a certification, from each workforce member who must attend the training, that:
specifies the date the training was received; and
is in either electronic or written form.
Review its training annually and make updates as needed to reflect:
changes in federal law or HHS guidance; and
any issues discovered during audits or review.
Finally, the company must not allow its workforce members to access electronic PHI unless they have signed or provided a training certification.
For HIPAA covered entities in general, the enforcement action highlights the importance of:
Compliant business associate agreements with third-party administrators, other service providers, and vendors.
Risk analyses that include all IT equipment, applications, and data systems that use electronic PHI.
Procedures for terminating access to electronic PHI when employees and other workforce members stop working for an employer.