Insurer Enters Into $1.7 Million Health Insurance Portability and Accountability Act (HIPAA) Settlement

Advertisement

vonBriesen

The U.S. Department of Health and Human Services (HHS) announced yesterday that it has entered into a resolution agreement with a national managed care organization and health insurance company (hereinafter “Company”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Advertisement

Investigation and Resolution Agreement

The HHS Office for Civil Rights (OCR) conducted an investigation after receiving the Company’s breach report, a requirement for breaches of unsecured protected health information (PHI) pursuant to the Health Information Technology for Economic Clinical Health Act (HITECH) Breach Notification Rule.

The investigation indicated that the Company had not implemented appropriate administrative and technical safeguards required by the Security Rule; and as a result, security weaknesses in an online application database left electronic PHI (ePHI) of 612,042 individuals unsecured and accessible to unauthorized individuals over the internet. PHI at issue included names, dates of birth, addresses, social security numbers, telephone numbers, and health information. Specifically, with regard to ePHI maintained in its web-based application database, the Company did not:

Advertisement
  1. Adequately implement policies and procedures for authorizing access to ePHI;
  2. Perform an adequate technical evaluation in response to a software upgrade affecting the security of ePHI; or
  3. Adequately implement technology to verify the identity of the person/entity seeking access to ePHI.

HHS and the Company entered into a resolution agreement, and the Company agreed to pay a $1.7 million settlement.  Notably, the resolution agreement did not include a corrective action plan for the Company.

Advertisement

Stepped up Enforcement

Beginning with the September 23, 2013 Omnibus Rule compliance date, HHS will have direct enforcement authority over business associates and subcontractors.  The settlement is an indication that HHS will not hesitate to extend enforcement actions to business associates and subcontractors.

The settlement is also a reminder of HHS expectations regarding compliance with HIPAA and HITECH standards.  HHS noted “whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.”

More information regarding the Omnibus Rule and its expanded liability is available here.

Advertisement
Article By:

 of

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.