Featured Health Business Daily Story, Aug. 8, 2013

WellPoint Settles with OCR for $1.7 Million; No Corrective Action Plan Is Required

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

August 2013Volume 13Issue 8

In a first, the HHS Office for Civil Rights (OCR) has inked a settlement agreement for alleged HIPAA security violations with a covered entity (CE) that does not require the organization to do anything special — except pay OCR $1.7 million.

But aside from this unique aspect, WellPoint, Inc.’s settlement drives home — once again — the need to conduct a security risk assessment, especially when new programs or services are added that require a reconfiguration of information technology systems.

(See related stories on risk assessment, below and p. 4.)

The July 11 settlement resolves allegations that WellPoint had “security weaknesses” that caused the protected health information (PHI) of more than 600,000 individuals to be exposed to possible misuse. The settlement is the third to be announced this year and the 14th in OCR’s history.

More than three years have passed since the start of the incident that triggered the settlement. Exposure of the data began in October 2009, in the early days of the breach notification law, which went into effect in September 2009.

It is not clear why OCR and WellPoint took so long to reach the settlement, a question especially pertinent given the fact it is not accompanied by a corrective action plan (CAP). Some CAPs are quite detailed and would presumably take some time to develop. OCR spokesperson Rachel Seeger would not comment on the agreement other than to say that “not every settlement agreement contains a corrective action plan.”

WellPoint Settles for $1.7 Million

“OCR expects covered entities to take prompt corrective action to mitigate risk as soon as an issue is discovered. As always, a best practice is to document all steps taken to cure compliance issues,” Seeger tells RPP.

WellPoint notified OCR in June 2010 that the PHI of about 612,000 members — including Social Security numbers, addresses, phone numbers and other information of potential health plan members — was “exposed” online from Oct. 23, 2009, to March 7, 2010.

WellPoint learned of the exposure after it was served with a class-action lawsuit from a woman who had been able to access the PHI of others after applying to Anthem Blue Cross of California, a WellPoint subsidiary. That suit was settled in April 2011, with the plan agreeing to produce certain credit monitoring and limited reimbursement of costs for affected individuals.

Third-Party Vendor Was Making Upgrades

At the time, WellPoint said that a third-party vendor was making upgrades and had “validated that our security measures were in place when they were not,” but that it was able to fix the issue within 12 hours of learning of the security gap. WellPoint agreed to notify 640,000 individuals, offer two years of credit monitoring to any affected individual and provide limited coverage of out-of-pocket expenses and other terms.

In addition, WellPoint paid a $100,000 fine to the state of Indiana, where officials said they received late notification that 32,000 residents’ data were among the breached information.

According to the OCR settlement, “WellPoint did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the Security Rule.”

WellPoint officials would not answer any questions from RPP about the settlement. Instead, the firm issued the following statement: “As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again. We also provided the appropriate notifications as required by state and federal regulations. In addition, we provided credit monitoring and identity theft insurance to all individuals who were potentially impacted. We are not aware of any fraud or identity theft that has occurred as a result of this incident.”

At $1.7 million, the settlement amount is the most OCR has assessed, outside of a court finding of a HIPAA violation. WellPoint is now tied for first with the state of Alaska, which also paid OCR $1.7 million in June 2012. The Alaska settlement stemmed from the theft of a portable hard drive that the state wasn’t sure even contained any residents’ PHI but was reported to OCR out of caution.

In contrast to WellPoint, which has been mostly mum, Alaska officials complained bitterly about their settlement, disputing OCR’s claims that they had not conducted a security analysis (RPP 7/12, p. 1). In both cases, Alaska and WellPoint officials say they have no evidence of misuse of the data.

The first settlement agreement OCR made with a CE following the effective date of the 2009 breach notification requirement was with BlueCross BlueShield of Tennessee, which resulted from an October 2009 theft of 57 unencrypted backup tapes with PHI for more than a million members. That theft was reported to OCR in November 2009; the settlement, which called for a $1.5 million payment and a monitoring plan as part of a CAP, was announced in March 2012.

Kirk Nahra, a partner with Wiley Rein LLP, doesn’t think the lack of a CAP for WellPoint is the start of a trend for OCR but probably speaks to the possibility that WellPoint’s HIPAA compliance activities were otherwise up to snuff.

“I don’t think it means [OCR officials] are changing their policy and that there won’t be CAPs,” he tells RPP. “As best as I can tell, they had a problem that’s fairly common, and my guess is everything else was pretty good.”

But, he adds, the high settlement amount “is a little bit of a disconnect. I am not sure how to reconcile that.”

Adam Greene, a former OCR regulator and current partner with Davis Wright Tremaine LLP, speculates that the settlement terms result from negotiations between OCR and WellPoint. “If OCR had really wanted a CAP they would have gotten one,” he says, pointing out that OCR also could conceivably have imposed a penalty of $18 million or more based on calculations for the number of days the potential violations of the security rule went uncorrected. But he points out that “OCR has never shown an inclination since the HITECH Act was passed to maximize their settlements to the largest amount possible.”

Yet that may change and the size of the settlements OCR can obtain will likely matter more in the future. For the time being, OCR gets to pocket whatever it collects but in the future the agency will have to share some of the funds with individuals whose data are misused.

The 2009 HITECH Act required the agency to “establish a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.”

According to HHS’s unified agenda that was published July 3, which outlines regulations the agency is working on, OCR expects to issue an advanced notice of proposed rulemaking on this issue by December of this year. The notice will “solicit the public’s views on establishing such a methodology.”

Settlements “will certainly be complicated” when OCR has to distribute some of the money, Greene says. “Who is a ‘harmed’ individual goes way beyond HIPAA” as courts have not yet resolved cases in which victims of privacy breaches have sued for damages.

© 2013 by Atlantic Information Services, Inc. All Rights Reserved.

Let one of the nation’s foremost HIPAA authorities, Reece Hirsch, help you identify the most potentially damaging new HIPAA/HITECH risk areas … with strategies for dealing with them, during Pitfalls to Avoid in New HIPAA/HITECH Regs: Compliance Deadline Sept. 23, an AIS Webinar on Sept. 11. Click here for more information and to register.

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?