ARTICLE
17 July 2013

HHS OCR Sends Message To CEs And Their BAs: Protect ePHI Accessible Over The Internet

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore
The Department of Health and Human Services, Office for Civil Rights recently announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.
United States Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint's June 18, 2010 report to OCR regarding security weaknesses in an online application database which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet for almost 5 months between 2009-2010.  Information accessible included names, dates of birth, Social Security numbers, telephone numbers, and health information.    

In response to WellPoint's report, OCR initiated its investigation into WellPoint's compliance with the Privacy, Security, and Breach Notification Rules on September 9, 2010.  OCR's investigation indicated the following:

  • Contrary to its obligations under the Security Rule, WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database;
  • WellPoint failed to perform an adequate technical evaluation to ensure that safeguards were in place to meet requirements of the Security Rule for an operational change – a software upgrade – whcih would affect the security of ePHI maintained in its web-based application database;
  • Between October 23, 2009 until March 7, 2010, WellPoint failed to adequately implement technology to verify persons or entities seeking access to ePHI maintained in its web-based application database;
  • During the same period of time, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals maintained in its web-based application database. 

Directly addressed in HHS' press release regarding the WellPoint settlement, HHS instructs covered entities and their business associates to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI.  As previously discussed on the Data Privacy Monitor, beginning September 23, 2013, liability for HIPAA violations will extend directly to business associates that receive or store PHI. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Kimberly M. Wong
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More