Covered Entities Cautioned Regarding Use of Business Associates
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.
On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.
The breach concerned WellPoint's consumer online application database. HHS found that WellPoint failed to:
- Adequately implement policies and procedures for authorizing access to the online application database containing ePHI,
- Perform an appropriate technical evaluation in response to a software upgrade to its information systems and
- Have technical safeguards in place to verify the person or entity seeking access to ePHI maintained in its online database.
As a result of these security deficiencies, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals whose ePHI was maintained in the online database, including: names; birth dates; addresses; Social Security numbers; telephone numbers; and health information. WellPoint did not admit liability for these actions.
Although not directly stated in the Resolution Agreement, these deficiencies seem to have been related to WellPoint's use of a subcontractor that had access to the ePHI (a HIPAA business associate). In its press release regarding this settlement, HHS cautioned that "[w]hether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of [ePHI] – especially information that is accessible over the Internet." HHS also noted that as of September 23, 2013, liability for many of HIPAA's requirements extends directly to business associates that receive or store protected health information, such as contractors and subcontractors.
The Resolution Agreement does not mention a corrective action plan agreed to by WellPoint. As soon as the situation was discovered in 2010, however, we understand that WellPoint made security changes to its database, notified all potentially affected individuals of the breach and provided credit monitoring and identity theft insurance to such individuals.
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates. Business associates that handle PHI, whether electronic or not, should also ensure strict compliance.
For additional information regarding HIPAA compliance and breach notification requirements, please contact Lisa W. Clark, Neville M. Bilimoria, Dmitry Tuchinsky, any member of the Health Law Practice Group or the attorney in the firm with whom you are regularly in contact.
This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.
Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.