Wellpoint’s HIPAA Violations Highlight Technical Compliance

July 25, 2013

The insurer's recent settlement with HHS should be a reminder to physicians that a lack of HIPAA safeguards can result in serious issues for their practice.

Despite the longevity of the Privacy and Security Rules, many entities (covered, business associates, or subcontractors) often scoffed at being compliant with HIPAA and subsequently, the HITECH Act. Their reason: It's only a "technical violation." For anyone who watches baseball, it is well known that a "technical violation" can cost a team the game. For example, a run make be revoked for failure to touch a base. Likewise, a "technical violation" -not having the requisite safeguards in place when handling, storing, or transmitting protected health information (PHI) - can cost an entity financially, legally, and in reputation

On July 8, 2013, WellPoint, Inc., an Indiana based company entered into a Resolution Agreement with the HHS' Office for Civil Rights (OCR) and agreed to pay a $1.7 million dollar fine. According to the resolution agreement, "HHS received notification from WellPoint regarding a breach of certain of its unsecured electronic protected health information (ePHI)."

Three months after WellPoint initiated the complaint, HHS provided notification that it was investigating non-compliance with the Privacy, Security, and Breach Notification Rules. The end result was that an "adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database" was not performed, as well as other ePHI technical requirements and subsequent exposure of 612,000 patients' PHI, which was maintained on the web-based application.

This recent enforcement action presents two items that providers should review:

1. The CMS Provider Agreement and HIPAA 5010 Agreements; and

2) The technical safeguards that are required or addressable under the Final Rule.

By remembering that self-reporting can often mitigate the costs associated with non-compliance, as well as taking steps to implement and maintain proper standards, financial, reputational, and legal risks may be mitigated.