The Department of Health and Human Services (HHS) has announced a settlement of potential security-oriented violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with a Washington-based health plan—a HIPAA covered entity (CE) and business associate (BA). Under the agreement, the plan must pay $6.85 million to HHS and comply with a two-year corrective action plan (CAP).
Comply with a two-year corrective action plan (CAP).
PHI of Over Ten Million Individuals Stolen in Cyber Attack
In March 2015, the health plan submitted a breach report to HHS, indicating that cyber-attackers had gained access to its system in May 2014 through a phishing email that installed malware on the plan's system—which in turn permitted access to the plan's network. The attack lasted from May 2014 until January 2015 and resulted in the impermissible disclosure of the electronic protected health information (ePHI) of more than 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, and banking and health plan information.
HHS's investigation revealed that the plan failed to:
Conduct an accurate and thorough assessment of the risks and vulnerabilities concerning the ePHI in its possession.
Implement sufficient security procedures to adequately reduce the risks and vulnerabilities to its ePHI.
Implement adequate hardware, software, or procedural mechanisms to record and review activity on its information systems containing ePHI until March 2015.
Prevent unauthorized access to the ePHI of more than 10.4 million individuals that was stored on its network.
Corrective Action Plan Focuses on Security Rule Compliance
In addition to the $6.85 million payment, the health plan must comply with a CAP that imposes obligations concerning risk analysis and risk management, HIPAA policies and procedures, and reporting violations of its policies and procedures.
Risk Analysis and Risk Management
The CAP requires the plan to:
Perform an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI in its possession (see Article, HIPAA Compliance and the Limits of Gap Analyses).
Create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
Annually review and, if necessary, revise the risk analysis and corresponding risk management plan.
The plan must submit its risk analysis and risk management plan to HHS for approval.
HIPAA Policies and Procedures; Minimum Content Requirements
The CAP also requires the plan to revise its HIPAA policies and procedures. The revised policies and procedures must address the following Security Rule provisions:
Submit the revised policies and procedures to HHS for approval.
Once approved, adopt and distribute the revised policies and procedures to workforce members.
Review and, if necessary, revise the policies and procedures annually.
Reportable Events
Under the CAP, the plan must promptly investigate reports that a workforce member has violated its HIPAA policies and procedures. If an investigation reveals that a workforce member has materially violated the plan's policies and procedures (referred to in the CAP as a reportable event), the plan must notify HHS in writing, including:
A description of the reportable event, including the role of the workforce member involved and the relevant policy provision that was violated.
A description of the plan's mitigation efforts, any steps it plans to take to prevent future violations, and sanctions imposed, if any.