Among the many 2017 Incidents Was a Mailing Mishap Exposing HIV Data
Federal regulators have slapped health insurer Aetna with a $1 million HIPAA settlement for 3 2017 breaches – together with a mailing incident that uncovered HIV data – that occurred inside six months.
See Additionally: The Fraudster’s Journey – Fraud in the IVR
The incident involving the publicity of practically 12,000 well being plan members’ HIV data beforehand resulted in $three million value of settlements in 2018 and 2019 with a number of state attorneys common plus a $17.2 million class action lawsuit settlement (see: Aetna Fined Yet Again for Exposing HIV Information).
In a press release Wednesday, the Department of Health and Human Services’ Office for Civil Rights says its investigation into the three incidents involving impermissible information disclosures revealed quite a lot of HIPAA deficiencies. These deficiencies included failing to:
- Carry out periodic evaluations of operational modifications affecting the safety of digital protected well being data;
- Implement procedures to confirm the id of individuals or entities searching for entry to ePHI;
- Restrict PHI disclosures to the minimal essential to perform the aim of the use or disclosure;
- Have in place applicable administrative, technical and bodily safeguards to guard the privateness of PHI.
“When people contract for medical insurance, they count on plans to maintain their medical data secure from public publicity. Sadly, Aetna’s failure to observe the HIPAA guidelines resulted in three breaches in a six-month interval, resulting in this million greenback settlement,” mentioned OCR Director Roger Severino.
In a press release supplied to Data Safety Media Group, Aetna, which was acquired in 2018 by CVS Well being, says: “Defending our members’ privateness is a duty we take very critically. We have entered right into a settlement settlement with the OCR associated to incidents that occurred in 2017, throughout which private well being data was inadvertently uncovered.
“These incidents occurred previous to Aetna turning into a part of CVS Well being and didn’t contain any of the corporate’s different companies. Now we have since up to date our processes and procedures to additional shield member data and are working cooperatively with OCR to additional improve our insurance policies associated to privateness and safety.”
OCR says that Aetna submitted a breach report stating that on April 27, 2017, it found that two net providers used to show paperwork to well being plan members allowed paperwork to be accessible with out login credentials and subsequently listed by vinternet search engines like google. The insurer reported that about 5,000 people had been affected by this breach.
In a second breach report filed in August 2017, the insurer mentioned profit notices had been mailed to members utilizing window envelopes. Shortly after the mailing, Aetna obtained complaints from members that the phrases “HIV remedy” could possibly be seen by means of the envelope’s window under the member’s identify and deal with, OCR notes. Aetna reported that nearly 12,000 people had been affected by this incident.
Within the third breach reported in November 2017, a analysis examine mailing despatched to Aetna plan members contained on the envelope the identify and emblem of the atrial fibrillation analysis examine during which they had been collaborating. Aetna reported that 1,600 people had been affected (see Aetna Hit with More Penalties for Two Breaches).
The investigation into the foundation causes of the breaches reported by Aetna highlights the necessity for efficient data assurance applications safeguarding PHI in all types and codecs, says privateness legal professional David Holtzman of consulting agency HITprivacy LLC.
“Organizations with profitable applications make use of a risk-based method that identifies the place delicate client data is created and saved, seems to be at how entry to information is managed and monitored in addition to ensures a complete plan for bodily and technical controls to guard information,” he says.
“Healthcare organizations that mitigate vulnerabilities recognized by means of a risk-based method to safeguarding information are regularly evaluating the adequacy of their method towards new and evolving threats in addition to modifications to their enterprise setting or the way in which they’re creating or utilizing delicate client data.”
Corrective Motion Plan
The resolution agreement with Aetna features a corrective motion plan that requires the insurer to:
- Develop, preserve and revise its HIPAA insurance policies and procedures;
- Ensure these insurance policies and procedures deal with performing periodic evaluations in response to environmental or operational modifications affecting the safety of PHI; authenticating these searching for entry to PHI; limiting the disclosure of PHI to what’s minimally essential to perform a given goal; and making use of applicable administrative, technical, and bodily safeguards to guard the privacy of PHI;
- Distribute these insurance policies and procedures to its workforce and supply training.
Different Enforcement Actions
The settlement with Aetna follows a string of a dozen different current HIPAA enforcement actions by OCR in current months.
These embrace a sequence of instances involving sufferers’ proper to entry their data and three multimillion-dollar settlements following breaches involving hacking incidents (see HHS Issues Another Right of Access Settlement).
The biggest of the current actions was a $6.eight million settlement with Premera Blue Cross after a 2014 breach that uncovered data on 10.four million people.