“Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said Office for Civil Rights (OCR) Director Roger Severino.
Why is this information of any value to us? Let’s break it down to see if this makes sense.
- In case you did not get it. This is but a settlement where Aetna is not admitting to any wrongdoing and possibilities are that the proposed fines are much higher than the one million dollars agreed to in this settlement.
- Most Covered Entities and Business Associates will simply think something like “tough luck to them. That will never happen to us.”
- The reality is that many Covered Entities, including Aetna, have Policies and Procedures covering the requirements of HIPAA, yet the key factor is: can they prove that they are following their own policies and procedures?
- Chances are that most employees of Aetna know about HIPAA yet sometimes it is hard to translate to our day-to-day operations, therefore the three breaches.
Let’s get a little deeper and examine the three incidents (below).
- Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines.
- Impermissible disclosure. Aetna submitted a breach report to OCR stating that on July 28, 2017, benefit notices were mailed to members using window envelopes. Shortly after the mailing, Aetna received complaints from members that the words “HIV medication” could be seen through the envelope’s window below the member’s name and address.
- Impermissible disclosure. A research study mailing sent to Aetna plan members contained the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating, on the envelope.
In addition to the previously mentioned violations the OCR investigation found that Aetna failed to:
- Perform periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI (ePHI);
- Implement procedures to verify the identity of persons or entities seeking access to ePHI;
- Limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and
- Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.
Based on the above breaches and settlement negotiations Aetna agreed to pay one million dollars and implement a corrective action plan that included but was not limited to:
- Aetna shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the “Privacy and Security Rules”).
- Aetna shall provide such policies and procedures to HHS within ninety (90) days of the Effective Date for review and approval.
- Aetna shall implement such policies and procedures within ninety (90) days of receipt of HHS’ approval.
- Aetna shall distribute the policies and procedures identified to all members of Aetna’s workforce who use or disclose PHI within ninety (90) days of HHS approval of such policies and procedures, and thereafter to new members of the Aetna workforce
- Aetna shall require all Aetna workforce members who have access to PHI to receive specific training on the policies and procedures within ninety (90) days of the adoption of those policies and procedures.
- Aetna shall retain a training completion record, in electronic or written form, for all Aetna workforce members that are required to receive the training. The training completion record shall specify the date training was received.
- Aetna shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
Based on the above I will recommend every Covered Entity and Business Associate to do the following as a basic test:
- Pick at Random any of the HIPAA Security Standards and check and see if you have updated policies and any kind of documentation to support that you are meeting the requirements of this Standard.
- Also, ask for a copy of last year’s Security Risk Assessment and the Security Management Plan that covers the findings of the risk assessment and how these “gaps” will be corrected.
If you cannot find any of the above, then you are not in compliance with the law and you could be part of the next press release from OCR.
With the amount of cybercrime that we are facing, and we are expected to face, I will consider HIPAA Security as one of my key operational concerns. So rather than waiting to be “caught” I recommend the implementation of a viable HIPAA Security program with external resources doing an Annual HIPAA Security Risk Assessment. We will even go as far as to recommend the subscription to a service such as EPI Compliance (https://epicompliance.com/) and attendance to the EPI conferences (https://www.epiconferences.com/) to ensure all Standards are addressed. Just remember, if you are going to play the game, make sure to learn the rules.