HHS Resolution Agreements: City of New Haven (Oct. 13, 2020); Aetna Life Ins. Co. (Oct. 1, 2020); HHS News Releases: City of New Haven (Oct. 30, 2020); Aetna Life Ins. Co. (Oct. 28, 2020)
HHS’s Office for Civil Rights (OCR) has announced two settlements resolving alleged violations of HIPAA’s privacy and security rules. The first settlement involved a health insurer that reported three separate breaches affecting protected health information (PHI) of more than 18,000 individuals. One breach report stemmed from the insurer’s discovery that two web services used to disclose plan-related documents to health plan members allowed the documents to be accessed without login credentials and to be indexed by various internet search engines. Another report indicated that the words “HIV medication” could be seen through window envelopes containing benefit notices mailed to members. (A court previously declined to dismiss a plan participant’s invasion of privacy claim based on this incident (see our Checkpoint article).) And a third report noted that envelopes mailed to participants in a research study disclosed the medical condition being studied. OCR’s investigation revealed that the insurer failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of electronic PHI; implement procedures to verify the identity of persons or entities seeking access to PHI; limit disclosures of PHI to the minimum necessary; and implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. In addition to a $1 million settlement payment, the insurer agreed to a corrective action plan (CAP) addressing the identified failures.
In the second settlement, OCR’s investigation began after a city health department filed a breach report stating that a former employee may have accessed a file containing PHI of 498 individuals. The investigation revealed that the former employee returned to the health department eight days after being terminated, used a key to enter her former office, logged into her old computer with her still-active user name and password, downloaded PHI onto a USB drive, and removed paper files. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on the department’s network after the employee’s termination. OCR asserted that the health department failed to conduct an enterprise-wide risk analysis and failed to implement access controls, such as unique user identification; termination procedures; and other privacy policies and procedures. In addition to a $202,400 settlement payment, the department agreed to a CAP requiring a comprehensive risk analysis, subject to OCR’s review and approval, that incorporates a complete inventory of facilities, equipment, data systems and applications containing PHI; policies and procedures addressing the identified failures; and training of all workforce members.
EBIA Comment: These resolution agreements address fundamental and common privacy and security issues and provide a reminder that not all breaches are the result of sophisticated cyberattacks. Prosaic failures can also expose PHI to unauthorized disclosures, underscoring the importance of adopting clear policies and procedures, followed by workforce training and consistent implementation. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXV.B (“What Constitutes a Breach?”) and XXX (“Core Security Requirements”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 5/14/20).
Contributing Editors: EBIA Staff.